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A  TRACE  SPECIFICATION  OF  THE  MMS  SECURITY  MODEL* 


1  Introduction 

The  MMS  security  model  presented  in  [Land84]  is  an  abstract,  mathematically  precise  specifica¬ 
tion  of  the  information  security  requirements  of  a  multilevel  secure  electronic  message  system. 
This  report  presents  a  trace  specification  of  the  basic  behavior  and  security  properties  of  thirty 
one  procedures  that  might  form  part  of  such  a  message  system.  These  procedures  are  specified 
in  such  a  way  as  to  guarantee  that  they  satisfy  the  requirements  of  the  security  model  presented 
in  [Land84],  given  a  certain  trace  interpretation  of  the  predicates  found  in  the  MMS  model. 

The  remainder  of  this  section  contains  background  material  and  may  be  skimmed  or  skipped 
by  the  reader  who  is  already  familiar  with  the  trace  specification  language  and  the  Hoffman 
methodology. 

1.1  The  Trace  Specification  Language 

The  trace  language  provides  for  the  specification  of  software  modules  in  terms  of  the  effects 
(such  as  return  values)  that  the  user  sees  when  (s)he  executes  a  sequence  of  procedure  and 
function  calls.  These  sequences  are  called  traces.  ^The  idea  of  basing  specifications  on  traces 
was  first  suggested  in  [Bart77]  and  later  formalized  in  [McLean85].  The  heuristic  methodology 
presented  in  [Hoff84]  and  [Hoff86]  makes  it  easier  to  understand  and  write  trace  specifications, 
and  I  will  adopt  that  methodology  here. 

M.  trace  specification  consists  of  a  syntax  section  and  a  semantics  section.  The  syntax  section 
states  the  name  and  parameter  types  of  each  of  the  module’s  procedures  and  the  name,  parameter 
types,  and  return  value  type  of  each  of  the  module’s  function  calls.v  The  semantics  section  contains 
axioms  formalized  in  a  two-sorted  language  of  first-order  logic  with  identity,  with  one  set  of 
variables  {R,R\, Rz,  ...S, S\, S2, ... T, T\,T2, ...}  to  be  understood  as  ranging  over  traces.  In 
addition  to  the  usual  logical  connectives  there  is  an  interpreted  binary  function  symbol  (.),  which 
serves  as  a  notation  for  concatenating  trace  terms.  If  X  is  a  trace  variable,  the  empty  trace  e,  a 
procedure  call,  or  a  function  call,  then  X  is  a  well-formed  trace  term;  if  X  and  Y  are  trace  terms, 
then  (X.T)  is  a  well-formed  trace  term.  Nothing  else  is  a  trace  term.  A  function  (procedure)  call 
is  a  function  (procedure)  name  followed  by  the  requisite  number  of  parameters  of  appropriate 
types.  In  place  of  a  formal  axiom  of  associativity  for  concatenation  I  adopt  the  convention  of 
dropping  the  parentheses  around  the  subterms  of  a  trace  term. 
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The  axioms  that  appear  in  the  semantics  section  of  a  trace  specification  state  or  entail  infor¬ 
mation  about  which  traces  are  legal  and  about  the  values  returned  by  legal  traces  that  end  with 
function  calls.  The  legality  predicate  and  the  value  function  are  usually  formalized  using  the 
unary  predicate  symbol  L  and  the  unary  function  symbol  V,  respectively.  One  additional  and 
very  handy  piece  of  notation  is  trace  equivalence  =,  defined  as  follows  ([McLean86],  p.  4): 

S  =  T  =df  VR  [C L(S.R )  *-*  L(T.R ))  A  (R  f  e  «-*  (3 xV(S.R)  =  x  «-*  V(S.R)  =  V(T.R)))] 

In  other  words,  two  traces  are  equivalent  just  in  case  they  agree  on  (i)  present  and  future  legality 
and  (ii)  all  future  return  values.  Intuitively,  two  traces  are  equivalent  provided  that  they  place 
the  module  in  the  same  “state,”  as  far  as  the  user  can  tell.  The  intuitive  idea  of  module  state 
has  great  heuristic  value  and  plays  an  important  role  in  the  Hoffman  methodology,  which  I  will 
presently  describe. 

1.2  The  Hoffman  Methodology 

In  [Hoff84]  (and  in  [Hoff86]  with  Richard  Snodgrass)  Daniel  Hoffman  describes  a  set  of  heuris¬ 
tics  for  writing  trace  specifications,  the  most  basic  of  which  being  these:1 

•  Base  the  specification  on  a  definition  of  normal  form  traces. 

•  Structure  the  semantics  according  to  normal  form  prefixes. 

The  notion  of  a  normal  form  trace  is  based  on  the  following  concept  of  module  state :  Two 
traces  place  the  module  into  the  same  state  provided  that  a  user  could  not  distinguish  between 
them  by  appending  a  series  of  procedure  and  function  calls  and  comparing  return  values  (and 
error  messages).  In  other  words,  two  traces  represent  the  same  state  iff  they  are  trace-equivalent. 
Normal  form  traces  are  the  canonical  representatives  of  the  states  of  a  module.  They  allow  one  to 
structure  a  trace  specification  in  such  a  way  as  to  make  explicit  exactly  how  procedures  move  the 
module  from  one  state  to  another.  Formally,  a  normal  form  for  a  trace  specification  is  simply  any 
set  of  traces  containing  at  least  one  trace  from  each  equivalence  class  of  the  trace-equivalence 
relation  =.  Every  legal  trace  is  therefore  equivalent  to  at  least  one  normal  form  trace,  for  any 
given  normal  form. 

One  would  typically  define  a  normal  form  by  means  of  an  explicit  definition.  For  example, 
in  his  simple  stack  specification  Hoffman  defines  a  trace  to  be  in  normal  form  iff  it  consists 
only  of  push  calls.2  It  is  also  possible  to  define  a  normal  form  recursively.  One  does  this  in 
two  steps:  first,  by  stipulating  that  the  empty  trace  is  in  normal  form;  then,  for  each  normal 
form  trace  T  and  procedure  call  C,  one  states  the  conditions  under  which  T.C  is  in  normal  form. 
Since  one  is  normally  interested  only  in  legal  traces,  one  can  instead  do  the  recursion  by  stating, 
for  each  normal  form  trace  T  and  procedure  call  C  such  that  T.C  is  a  legal  trace,  the  conditions 
under  which  T.C  is  a  normal  form  trace. 

Given  a  definition  of  normal  form  and  trace-legality,  the  next  step,  according  to  the  Hoffman 
methodology,  is  to  specify  an  equivalent  normal  form  trace  for  each  legal  trace  T.C  such  that  T 

1  [HoffR6I,  p.  6. 

2See  [Hoff86],  p.  8. 


is  in  normal  form  but  T.C  is  not.  Doing  this  insures  that  every  legal  trace  is  provably  equivalent 
to  some  normal  form  trace;  consider  an  arbitrary  legal  trace  C\.C2  . . .  C„.  If  every  legal  trace 
of  the  form  T.C,  where  T  is  in  normal  form,  is  provably  equivalent  to  some  normal  form  trace, 
then  a  normal  form  trace  provably  equivalent  to  C].C2 . . .  C„  can  be  constructed  as  follows:  let 
So  =  e,  and  if  S,.C1+i  is  a  normal  form  trace  and  i  <  n,  then  let  S,+i  =  S,.C(+1,  otherwise  let 
S1+i  =  T,  where  T  is  a  normal  form  trace  equivalent  to  S;.C1+ Each  S,  is  in  normal  form,  so 
there  will  always  exist  such  a  T.  Clearly,  S„  is  trace-equivalent  to  C1.C2 . . .  C„. 

Once  a  normal  form  equivalent  has  been  specified  for  each  trace  having  a  normal  form  prefix, 
the  final  step  is  to  specify  the  return  values  of  all  function  calls.  This  is  done  by  specifying  the 
value  of  every  legal  trace  T.C,  where  T  is  any  normal  form  trace  and  C  is  any  function  call. 


2  The  MMS  model  trace  specification 

This  section  begins  with  a  discussion  of  the  way  in  which  normal  forms  and  legality  are  defined 
in  the  MMS  model  trace  specification.  Following  this  will  be  a  discussion  of  the  procedures 
that  have  been  specified,  grouped  by  function,  and  a  discussion  of  the  predicates  that  define  the 
security  properties  of  the  MMS  model. 


2.1  Normal  forms  and  legality 

Normal  forms  and  legality  in  the  MMS  model  specification  are  defined  by  mutually  recursive 
axioms  of  the  following  form  for  each  procedure  call  in  the  module: 

nf(T)  ->  (LfT^call))  { formula  1)) 

(nf \T)  A  L(7\(call)))  (nf(7\(call))  *-*  (formula2)) 

where  the  formulas  that  replace  (formulal))  and  (formula2))  are  assumed  not  to  contain  any 
occurrence  of  the  predicates  nf  and  L.  In  addition,  we  assume  that  the  empty  trace  e  is  a  normal 
form  trace,  that  the  longest  proper  prefix  of  a  legal  trace  is  legal,  that  every  normal  form  trace 
is  legal,  and  that  the  longest  proper  prefix  of  a  normal  form  trace  is  a  normal  form  trace;  i.e.  we 
assume: 

nf(e) 

VC  (L(7.C)  —  L(7)) 

(nf(T)  -  L (T)) 

VC  (nf(T.C)  nf(T)) 

These  two  schemata  and  the  fouradditional  axioms  displayed  above  are  sufficient  to  define  the 
legality  and  normal  form  status  of  every  trace.  To  see  that  this  is  so,  consider  the  following 
construction  of  the  respective  truth  values  of  nf (7)  and  L(7)  for  an  arbitrary  trace  T:  If  7"  =  e, 
then  nf(7)  and  L (T)  are  true,  and  we  are  done.  Suppose  instead  that  T  =  R.C  and  that  the  truth 
values  of  nf(/?)  and  L(/?)  are  known.  If  L(R)  is  false,  then  nf(T)  and  L(D  a’-e  both  false,  and  we 
are  done.  Suppose,  then,  that  L(/?)  is  true,  and  define  the  trace  5  as  follows: 

of  R.  if  nf(/?); 

1  S'.  otherwise,  for  some  5'  where  S'  =  R  and  nf(5'). 

By  the  axiom  schemata,  there  exist  formulas  o  and  \  such  that  the  following  are  axioms: 


■vV/c.'.V- 


mm# 


nf(S)  —  (L(S.C)  ~  t/>) 

(nf(5)  A  L(5.C))  -4  (nf(S.C)  <-►  X) 

Given  these  formulas  the  truth  values  of  nf(T)  and  L(T)  are  determined  as  follows:  L(T)  has  the 
same  truth  value  as  tp,  since  S  =  R;  if  L(S.C)  is  false,  then  by  the  equivalence  of  S  and  R,  L(T) 
is  also  false  and  so  nf (T)  is  false.  Suppose  L(S.C)  is  true;  if  S  R,  then  nf (/?)  is  false  and  so 
nf (T)  is  false.  If  S  =  R,  then  T  =  S.C,  and  so  nf(T)  has  the  same  truth  value  as 

This  construction  shows  that  legality  and  the  normal  form  predicate  are  completely  “defined” 
in  the  following  sense:  given  axioms  of  the  sort  described  above  as  hypotheses,  the  truth  value 
of  any  formula  of  the  form  nf (T)  or  of  the  form  L(T)  is  provably  a  function  of  the  truth  values 
of  formulas  that  do  not  contain  the  normal  form  and  legality  predicates.  The  construction  is  not 
an  effective  procedure  for  deciding  normal  form-hood  and  legality,  however,  because  tp  and  \ 
may  not  be  decidable  formulas  and  because  the  formula  S'  is  merely  chosen,  not  constructed. 

2.2  Initializing  procedures 

First  we  consider  the  procedures  create.user,  delete.user,  login,  and  logout;  create.user  is 
specified  as  follows:3 

Create_user 

nf(7)  —  [L(7'.create.user(M,  v,  0)  —>  [RO(u,  T,  sso )  A  user.existsfu,  T)  A  logged_in(u,  7)A 
-’uscr_cxists(v.  7)  a  ref-sec  ure(7,  create_user(u,  v,  0)]] 

(nf(7)  A  L(7  create_user(u,  v,  0)1  —  (nf(7-.create.iiser(u,  v,  0  ~>3u'  3 R  fF  =  i?.delete_user(«',  v)  A  CU(v,  R)  =  /]J 

[nf(7)  A  L(7.create_user(«,  v,  /))  A  T  =  /?.delete.user(«,  v)  A  CU(v,  R)  =  /]  — +  F.create.user(«,  v,[)  =  R 

These  formulas  state  the  following:  first,  the  result  of  appending  create_user  to  a  normal  form 
trace  is  legal  if  and  only  if:  the  creating  user  exists,  is  logged  in,  and  has  the  role  of  System 
Security  Officer,  the  created  user  does  not  already  exist,  and  the  trace  and  procedure  call  also 
stand  in  the  ref_secure  relation,  about  which  we  shall  have  more  to  say  later.  If  these  conditions 
are  satisfied,  then  this  trace,  which  results  from  appending  create.user  to  a  normal  form  trace 
T,  is  itself  in  normal  form  just  in  case  T  does  not  end  with  a  deletion  of  the  soon-to-be-created 
user  while  he  has  the  same  security  clearance  that  he  is  about  to  be  created  at.  The  third  axiom 
states  that  if  the  user  is  redundantly  deleted  and  then  recreated  at  the  same  security  clearance,  it 
is  then  as  if  neither  operation  had  been  performed. 

Obviously,  one  user  must  exist  at  the  beginning  in  order  to  create  the  others.  This  user  is 
called  Root  in  the  specification;  Root  exists  by  definition,  and  is  defined  to  have  the  role  of 
system  security  officer  at  all  times. 

These  are  the  definitions  of  all  but  one  of  the  predicates  used  in  the  specification  of  create.user. 
(The  definition  of  the  one  other  predicate,  ref.secure,  can  be  found  in  the  Appendix.  Its  definition 
presupposes  the  material  introduced  in  section  2.4.) 

RO(v.  7  .  r)  —  [[  v  =  Root  A  r  =  .mo)  V  35  [somc_nonC(2,2)(S,  add _RO.  rm.RO,  2.  v,  3,  r,  2,  v,  3,  r,  T)A 
-^in  jifteri  (.V,  delete.user.  2.  v,  7)1] 


3 For  an  explanation  of  the  trace  predicates  used  here  and  throughout  the  rest  of  this  report,  see  |Land84). 
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user.exists(u,  7)  — *  [u  =  Root  V  3S  some-none^  u(S,  create.user,  delete.user,  2,  u ;  2,  u ,  7}] 
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The  in_after  and  some_none  predicates  are  convenient  abbreviations  for  very  long  and  compli¬ 
cated  formulas4  and  will  be  used  many  times.  some_none  is  really  a  family  of  predicates  that 
allow  one  to  say  that  a  trace  contains  an  occurrence  of  a  procedure  call  of  one  sort  that  is 
not  followed  by  an  occurrence  of  a  procedure  call  of  a  certain  other  sort.  More  specifically, 

some_none(m,„)(5.  C\ ,  c2Ji ,  X\ . ym,  xm;  ,  y, . kn,yn,T)  states  that  S  is  a  prefix  of  T  and  is 

followed  in  T  by  a  call  to  procedure  C\.  This  call  has  argument  x,  in  position  jt,  for  i  from  1 
to  m,  and  there  docs  not  exist  in  T  after  S  and  the  call  to  C\  that  follows  it,  any  occurrence  of 
a  call  to  C2  having  argument  y,  in  position  ki ,  for  i  from  1  to  n.  The  predicate  in_after  has  a 

similar  flavor:  in_after„(S,  c,  k\,X\ . kn,xn,T)  states  that  a  call  to  procedure  c  with  x,  as  the 

k, th  argument,  for  i  from  1  to  n ,  occurs  immediately  after  S  in  T,  where,  again  S  is  a  prefix  of  T. 
The>c  predicates,  and  similar  predicates  discussed  later  on,  are  useful  because  they  allow  one  to 
specify  the  current  value  of  some  parameter,  for  example,  someone’s  security  clearance,  as  the 
value  it  was  given  the  last  time  it  was  modified. 

The  procedure  deleteoiser  has  this  specification: 

Delete.user 

nf(T)  — •  [L(7. delete -user(u,  v))  <— 

[logged_in(u,  T)  a  RO(m,  T,  sso)  a  user.exists(v,  T)  A  ref-sec ure(T,  delete.user(u,  v))]] 

(nf(7)  A  L('r.delete.user(M,  vj)  —  [nf(7dclete_user(«,  v)  <-►  [-.3m'  35  7"  =  S.  ere  ate. user  (u' .  v)] 
lnf(7)  A  L(7  .delete.user(«,  v))  A  T  =  ,S'  create.user(u' ,  v)]  —  r.delete_user(«,  v)  =  .S'] 

Note  that  with  delete.user,  as  with  create.user,  normal  form  status  depends  on  the  absence  of 
procedure  calls  that  immediately  cancel  one  another  out.  A  trace  ending  with  a  call  to  deletejiser 
is  in  normal  form  only  if  its  longest  proper  prefix  does  not  end  with  a  call  to  create.user  that 
creates  the  userid  that  is  about  to  be  deleted. 

Next  we  consider  the  login  and  logout  procedures.  They  are  specified  as  follows: 

login 

nf(73  —  [L(7\login(M,  d))  —  [-’loggcd.in(u.  d.  T )  A  uscr.exists(«,  T)  A  ref.secure(r.  login(u.  d)))] 

[nf('0  A  Li7.1ogin(M,  d))}  —  [nf(7'.login(«,  d))  —  — >3jc 37?  T  =  /?.logout(u,  d )] 

[nf('0  A  L(7  l«gin(w,  d»  A  T  =  /?.logout(u,  d))]  —  TMoginO*.  d)~  T 


logout 

nf(7)  —  [L(/ logout(M,  d))  —  [logged Jn(«,  d.  7)  A  3r3k  H(d.  T.  r.  k)  A  rcf.sccure(7'.  logout(u,  d))}\ 

[nf(7)A  L(7  logout(«.  d))\  —  [nf(7  logout(u,  d))  - - 3ST  =  S  login(M,  d)\ 

(nf(7)  A  L(7  logout(w.  d))  A  7  =  S.login(u.  d)\  —  /  logout (w,  d)  =  S] 

That  is,  logging  in  at  a  given  device  d  is  legal  only  if  you  are  not  already  logged  in  on  d, 

and  logging  in  preserves  normal  form-hood  only  if  you  did  not  just  logout  of  the  same  device. 

4Scc  the  definitions  in  the  appendix. 


Similarly,  logging  out  is  legal  only  if  you  are  logged  in,  and  logging  out  preserves  normal  form- 
hood  only  if  you  did  not  just  login  to  the  same  device.  The  property  of  being  logged  in  is 
specified  as  follows: 

logged Jn(u,  d,  7)  — ►  37?  [user_exists(u,  T)  A  some_none(2,2)(tf,  login,  logout,  1 ,  u,  2,  d;  1 , «, ,  2,  d,  7)] 

That  is,  a  user  is  logged  in  at  a  device  only  if  there  is  a  point  in  the  past  at  which  an  appropriate  -j 

call  to  login  was  not  followed  by  a  corresponding  call  to  logout. 

2.3  Classifications  and  clearances 

The  next  group  of  procedures  that  we  examine  are  those  dealing  with  the  various  security 
parameters  associated  with  users  and  entities.  In  addition  to  procedures  that  set  values  and 
modify  lists  of  values,  there  are  functions,  available  only  to  a  system  security  officer,  that  return 
the  values  of  security  variables. 

2.3.1  Setting  values 

Certain  security  parameters  are  single  values.  These  are:  the  security  clearance  of  a  user,  the 
maximum  classification  of  an  output  device,  the  actual  classification  of  an  entity,  and  the  CCR 
value  of  a  container.  These  parameters  are  set  using  the  procedures  set_cu,  set.CD,  set.CE,  and 
set.CCR,  respectively.  The  specifications  for  these  procedures  are  all  based  on  the  idea  that  a 
parameter  setting  procedure  preserves  normal  form-hood  if  and  only  if  it  neither  sets  a  parameter 
to  the  value  it  already  has  nor  cancels  out  the  effect  of  a  parameter  change  that  has  just  taken 
place.  So  we  have,  for  example,  the  specification  of  set_cu: 

set -CU 

nf(7)  —  [L(7'  set_cu(«.  v.  /))  —  [RO(m,  7,  ^Jo)Auscr.exists(«,  7)AloggedJn(M,  7}Auser_exists(v,  7)A->IoggcdJn(v',  7)A 
ref.sccurc(7.  set.cu(M.  v,  0)11 

(nf(7)  a  L(7'.set.cu(w,  v.  /))!  —  [nf(7.set_cu(u.  v.  [))  ~  [CU(v,  7)  1  A  -'353m'  3v7  31'  7  =  5.set.cu(M',  V ,  /')] 

[nf(7)  A  L(7.set.cu(u.  v.  /))  A  CU(v.  7)  =  /]  —  7  set.cu(u,  v,  0  =  7 

[nf(7)  a  L(7.set.cu(u,  v.l))A7  =  5.set.cu(M',  v7,  /')]  —  7.set.cu(M,  v,  /)  =  5.set.cu(M,  v,  /)] 

Note  the  last  two  formulas  in  the  specification.  They  specify  different  normal  form  equivalents 
for  the  trace  T.set_cu(«.  v.  /)  depending  on  the  particular  way  in  which  it  fails  to  be  in  normal 
form. 

Procedures  that  manipulate  the  security  properties  of  entities  are  specified  in  much  the  same 
way.  Since  trace  specifications  give  the  user’s  view  of  procedure  behavior,  we  will  specify  the 
security  parameters  of  entities  as  properties  of  the  references  that  refer  to  them.  We  begin  with 
set.CD,  a  procedure  for  setting  the  maximum  classification  of  information  allowed  to  appear  on 
a  given  output  device. 

set.CD 

nfY7)  —  [L(7  set.CDfM.  d.  /))  — 

floggcd-infii.  7)  a  RO(m.  7.  sso)  A  CE (d.  T)  <  l  A  dcvicc(<7)  A  rcf_sccurc(7\  set.CD(M.  d.  /))]! 


b 


r 


;$a 


[nf(T)  A  L(T.  set  .CD  (u,  d,  /))]  —  [nf(7.set.CD(w,  d,  /))  —  [-.3m'  3/'  35  7  =  S.seLCD(V ,  d,  1‘)  A 

VCV7?  [iprefix(/?.C,  7)  A  callname(C)  =  set.CU  A  coref(arg(C,  2),R,  d,T )]  —  [arg(C,2)  f  l  v3 C'  3S  [callname(C')  = 

set.CD  A  coref(arg(C' ,  2).  5,  d  T)  A  prefi \(R.C,  S.C')  A  arg(C',  2)  /  /]]]] 

[nf(7)  A  L(7.set_CD(w,  d ,  /))  A  7  =  5.set.CD(u',  d,  /')]  —  7.set.CD(a,  d,  /)  =  5set.CD(u,  d,  /) 

[nf(7)AL(7.set.CD(u,  d,  [))A3C3R  [prefix(/?.C,  T)Acallname(C)  =  set.CD  Acoref(arg(C,  2),  R.  d.  7)Aarg(C,  2)  =  /  A 
-i3C'  35  [callname(C')  =  set.CD  Acoref(arg(C',  2),  S,  d,  7)Aprefix(/?.C,  5.C')Aarg(C',  2)  £  /]]]  — *  7.set.CD(u,  d,  0  = 

7 

The  very  complicated  looking  second  formula  in  the  specification  for  this  procedure  can  be 
explained  as  follows:  a  legal  call  to  set.CD  preserves  normal  form-hood  just  in  case  (i)  it  does 
not  immediately  cancel  the  effect  of  another  set.CD  call,  and  (ii)  any  previous  set.CD  call 
that  set  the  maximum  classification  of  the  device  to  the  same  level  that  this  call  sets  it  to  was 
cancelled  by  a  subsequent  set.CD  call  setting  it  to  a  different  classification.  In  case  (i)  fails,  the 
trace  is  equivalent  (by  the  third  formula)  to  the  result  of  deleting  the  set.CD  call  whose  effect 
was  cancelled.  If  (ii)  fails,  the  the  trace  is  equivalent  (by  the  fourth  formula)  to  the  result  of 
deleting  the  final  set.CD  call. 

The  four-place  relation  coref  appears  for  the  first  time  in  the  specification  of  this  procedure. 

Its  intended  meaning  is  this:  coref(ri,  S,  r2,  T)  states  that  refers  at  S  to  the  same  entity  that  r2 
refers  to  at  T.  This  predicate  will  be  discussed  further  in  the  section  on  references. 

The  specification  of  set.CE  is  very  similar  to  that  of  set.CD: 

set.CE 

nf(T)  —  [L(7.set.CE(M,  d,  0)  ~ 

(loggedJ n(u.  T)  A  A S(«,  set.CE,  d,  2, 7)  A  device(d)  A  /  <  CD(d,  T)  A  refsecurc(7\  set.CE («,  d,  /))]] 

[nf (7)  A  L(7.set.CE(«,  d,  /))]  -  [nf(7.set_CE(u,  d,  /))  -  h3u'  31'  3 57=  5.set_CE(u',  d,  /') A 

dCVR  [fprcfixiT?  C,  7)  A  callname(C)  =  set.CE  A  coref(arg(C,  2),  R,  d,  T)}  —  [arg(C,  2)  ^  /  V  3  C  35  [callname(C')  = 

set.CE  A  coref(arg(C',  2),  5,  d,  T)  A  prefix(/?.C,  5.C')  A  arg(C',  2)  f-  /]]]] 

[nf('7)  A  L(7.set.CE(u,  d,  /))  A  7  =  5.set.CE(t/,  d,  7)1  —  7.set.CE(u,  d,  [)  =  5.set.CE(«,  d,  /) 

[nf(7)A  L(7.set-CE(w,  d.  /))A3C37?  fprefix(/?.C.  7}AcaJlname(Q  =  set.CE  Acoref(arg(C,  2 ),/?.  d.  7)Aarg(C.  2)  =  /  A 
-|3C'  35  [callname(C')  =  set.CE  A coref(arg(C',  2),  5,  d,  7)Aprefix(/?.C,  5.C')Aarg(C',  2)  ^  !]}}  —  7,set.CE(u,  d,  0  = 

7 

Since  users  other  than  the  system  security  officer  may  be  authorized  to  set  the  classification  of  a 
particular  entity,  we  need  a  way  of  specifying  which  users  those  are.  This  is  done  in  the  MMS 
model  by  means  of  the  predicate  AS,  defined  here  as  follows: 

AS(v.  c,  r.  k.  7)  —  [RO(v,  7,  sso)V 

35  [some.nQne_ref(3  3)(.S,  add_AS,  rm.AS.  (4,  r),  2,  v,  3,  c.  5,  7;  (4,  r).  2,  v,  3,  c,  5,  k,  7)A-'injaftcri  (5.  delete.user,  2,  v,  7)]] 

That  is,  user  v  is  authorized  to  perform  procedure  c  at  trace  T  with  reference  r  as  its  Arth  argument 
if  and  only  if  either  visa  system  security  officer  at  T  or  else  the  triple  (c,  r.  k)  has  been  added 
to  v’s  access  set  at  some  point  during  the  course  of  T  without  subsequently  being  removed. 

The  fourth  and  last  of  the  parameter-setting  procedures  is  set.CCR,  which  follows  much  the 
same  pattern  as  the  other  three. 


nf(T)  —  [L(7.set.CCR(u,  r,  x))  *-*  [logged  Jn(u,  T)  A  user.exists(u,  T)  A  container^,  T)  A  ref.exisis(r,  7)A 
AS (u,  set-CCR,  r,  2,  7)  A  ref _secure(7,  set.CCR(u,  r,  x))]] 

[nf(T)  A  L(7.set_CCR(u,  r,  jc))]  —  [nf(7.set_CCR(u,r,x))  <-  [CCR(r,  7)/xA  ->35  3  v3;y  7  =  5.set.CCR(v,  r,  j)] 
[nf(7~)  A  L(7.set.CCR(u,  r,  x))  A  CCR(r,  7)  =  x]  7.set.CCR(u,  r,x)  =  7 

[nf(T)  A  L(7.set_CCR(u,  r,  x))AT  =  S.set.CCRfv,  r,  y)]  —  7.set.CCR(u,  r,  x)  =  5  set.CCR(u,  r,  x)] 

A  call  to  setXCR  preserves  normal  form-hood  just  in  case  (i)  the  container  in  question  does 
not  already  have  the  CCR  value  to  which  it  is  about  to  be  set,  and  (ii)  the  resulting  trace  does 
not  contain  back-to-back  calls  to  setXCR  for  the  same  container.  If  (i)  fails,  then  the  trace  is 
equivalent  to  the  result  of  deleting  the  last  call  to  setXCR,  and  if  (ii)  fails  then  the  trace  is 
equivalent  to  the  result  of  deleting  the  penultimate  call  to  seLCCR. 

2.3.2  Adding  and  removing  values  from  a  list 

In  addition  to  the  single  valued  security  parameters  discussed  above,  the  MMS  model  contains 
security  parameters  in  list  form.  These  are  the  user’s  roles,  role  set,  and  access  set.  The  values 
of  these  list  parameters  are  set  by  means  of  pairs  of  procedures:  one  for  adding  values  to  the 
list,  one  for  removing  values  from  the  list.  For  example,  a  user’s  role  set  is  manipulated  by  the 
procedures  add_R  and  rm_R: 

addJR 

nf(7)  —  [L(T.addJR(u.  v,  r))  —  (RO(k,  7,  550)  A  loggedJn(M,  7)  A  user_exists(v,  7)  A  rcf_secure(7',  add  J?(«,  v,  r))]] 
[nf(7)  A  L(7'.add_R(u,  v,  r))]  [nf(7.add  JR(u.  v,  r))  —  [-R(v,  7,  r)  A  -0 u!  35  7  =  5  rm  _R(m',  v,  r)]] 

[nf(7)  A  L(7.add_R(w,  v,  r))  A  R(v,  7,  /-)]  —  7  add-R(u,  v,r)  =  T 

[nff/)  A  L(7.add_R(u.  v.  r))  A  7  =  5  rm_R(u',  v,  r)]  —  T.add  _R(u,  v,  r))  =  5] 

rm_R 

nf(7)  —  [L(7  rm_R(u,  v.  r)  <—  [Iogged-in(w,  T)  A  R 0(u,  7,  sso)  A  user_exists(v,  T)  A  ->RO(v,  7,  r) 

Aref.securc(7\  rmJt(u,  v,  r)] ] 

[nf{7)  A  L(7.rm_R(«.  v.  r)\  —  [nf(7.rm.R(«.  v,  r))  —  [R(v,  7,  r )  A  -0 u'  3 5  7  =  5  add  v,  /-)]] 

[nf(7)  A  L(7’.rm.R(u,  v,  r)  A  -iR(v,  7.  r)]  —  7  rm  JR(u,  v,  r)  =  7 
[nf(7‘)  A  L(7.rm_R(M.  v,  r)  A  T  =  5  add.R(w',  v,  r)]  —  7.rm.R(u,  v,  r)  =  5 

Only  a  system  security  officer  may  manipulate  a  user’s  role  set,  and  so  a  call  to  add_R  or  rm.R 
is  legal  only  if  the  user  issuing  the  call  has  the  role  of  system  security  officer.  A  call  to  add_R 
or  rm_R  preserves  normal  form-hood  if  and  only  if  it  is  nonredundant  and  does  not  cancel  the 
effect  of  the  procedure  call  that  immediately  precedes  it. 

The  other  two  pairs  of  procedures  that  modify  list-parameters  follow  the  same  pattern  as 
add_R  and  rm_R. 


<t-  »‘-V IV-V  «*-V-  w. 
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User  roles: 


add_RO 

nf(7)  —  [L(7',add_RO(u,  v,  r))  [[RO(zz,  T,  sso)  v  u  =  v]  A  loggedJn(u,  7)  A  R(v,  7,  r)  A  user.exists(v,  T)  A 
ref_secure(7,  add _RO(u,  v,  r))]] 

[nf(T)  A  L(7.add_RO(zz,  v,  /•))]  —  [nf(7.add  _RO(zz,  v,  r))  ~  [-RO(v,  7,  r)  A  -.3z7  35  7  =  S.rm  _RO(u',  v,  r)J] 

[nf(T)  A  L(7  add  _RO(u,  v,  r))  A  RO(v.  7,  r)]  —  7.add_R0(u,  v,  r)  =  7 

[nf(7)  A  L(7.add_RO(u,  v,  r))  A  7  =  5.rmJRO(u',  v,  r)]  — »  7  add_RO(zz,  v,  r ))  =  5] 


rm_RO 

nf(7)  —  [L(7.rmjR0(«,  v,  r)  —  [logged  Jn(zz,  7)  A  [RO(u,  7,  m)  V  «  =  v]  A  R(v,  7,  r)  A  user_exisLs(v.  7) 
Aref.secure(7,  rm_RO(u,  v,  r)l] 

[nf(7)  A  L(7.rm_R0(zz,  v,  r))  —  [nf(7.rm_R0(w,  v,  r))  ~  [RO(v,  7,  r)  A  -.3 u!  3 5  7  =  5  add.R(z/,  v,  r)]] 

[nf(7)  A  L(7.rm  JRO(«,  v,  r)  A  ->RO(v,  7,  r)]  —  7.rm_R0(zz,  v,  r)  =  7 
[nf(7)  A  L(7. rm.ROfu,  v.  r)  A  7  =  S  add_RO(z/,  v,  r)]  —  7.rm_R0(M,  v,  r)  H  S 

Access  sets: 
add_AS 

[nf(T)  —  [L(7.add_AS(«,  v,  c.  i,  it))  ~ 

[loggedJn(zz,  7)  a  RO(u,  7, sso)  A  ref_exists(z,  T)  A  [role(v)  v  user_exists(v,  7)]  A  ref_secure(7,  add-AS(u,  v,  c,  z,  A:))]] 

fnf(7)  A  L(7.add_AS(zz,  v,  c,  z,  k))J  —  [nf(7.add_AS(zz,  u,  c,  i,  k))  ~ 

VS  after.evcry -ref(3  3)(5,  add^VS,  rm_AS,  (4,  /),  2,  v,  3,  c,  5,  A:;  (4,  z),  2,  v,  3,  c,  5,  it,  7) 

A-i3;3w'  35  [7  =  S.rm_AS(«',  v,  c,j,  k )  A  corcf(z,  7,^,5)]] 

[nf(73  A  L(7.add_AS(u,  v,  c,  i,  k))AT  =  S.rin_AS(z<',  v,  c,j ,  it)  A  coref(z,  7,;,  5)]  — ►  7.add_AS(zz,  v,  c,  z,  A:)  =  5] 

[nf(7)  A  L(7.add_AS(zz,  v,  c,  z,  A:))A 

-’VS aftcr.everyjef(3  3)(5.  add_AS,  rm.AS,  (4,  z),  2,  v,  3,  c,  5,  A:;  (4,  z),  2.  v,  3,  c,  5,  it,  7)]  —  7.add_AS(zz,  v,  c,  z,  /t)  =  7] 

rm_AS 

(nf(7)  —  [L(7.rtn_AS(zz,  v,  c,  z,  it))  ~ 

[logged-in(«,  7)  A  RO(u,  7.  jot)  a  rcf_cxists(z,  7)  A  [role(v')  V  user_exists(v,  7)]  A  ref.secure(7,  rm_AS(«.  v,  c,  z,  t))|] 


*?7.' 
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[nf(7')  A  L(7  rm_AS(M,  v,  c,  z,  A:))]  —  [nf(7  rm_AS(zz,  v,  c,  z,  it))  «-+ 

35  somcjione-ref(3  3)(5,  add_AS.  rm_AS,  (4,  z),  2,  v,  3,  c,  5.  it;  (4,  z),  2,  v,  3,  c,  5,  it,  73 
a-G./3zz'  35  [7  =  S.add_AS(zz',  v,  c,j,  k )  A  coref(z\  T,j,  5))] 

[nf(73  A  L(T.rm_AS(u.  v,  c,  i,  k ))  A  7  =  S.add_AS(z/,  v,  c,y,  it;  A  corcf(z,  T,j,  5)]  —  7.rm_AS(«,  v,  c,  z,  it)  =  5] 

[nf(7)  A  L(7.rmAS(«,  v,  c,  z,  it))A 

35 somc-noncj-cf(3  3)(S,  add j\S,  rm_AS.  (4,  /),  2,  v,  3,  c. ,  5,  it;  (4,  /),  2,  v,  3,  c,  5,  it,  7)]  —  7.rm_AS(zz,  v,  e,  z,  k)  =  T] 

Predicates  of  the  some_none_ref(m.„)  family  allow  us  to  say  of  a  trace  that  it  contains  a  call 
to  a  certain  procedure  and  that  this  call  refers  to  a  given  entity  but  is  not  followed  by  an 
occurrence  of  a  procedure  call  of  a  certain  sort  referring  to  the  same  entity.  More  specifically, 

some  none_reffm>l)(5.  Ci ,  c2,  (j\  r),j , .  Aj , . . .  ,jm,  xm;  (k,  r),ki,y  . . k„,  yn ,  T)  states  that  5  is  a  prefix 

of  T  and  is  followed  in  T  by  a  call  to  procedure  c\.  This  call  has  a  reference  x  in  position  j 


-V  jjL 


that  refers  at  S  to  the  same  entity  that  r  refers  to  at  T,  and  this  call  to  C\  has  argument  x,  in 
position  ji,  for  i  from  1  to  m,  and  there  does  not  exist  in  T  after  S  and  the  call  to  c\  that  follows 
it,  any  occurrence  of  a  call  to  C2  having  argument  y,  in  position  it,,  for  i  from  1  to  n ,  and 
having  in  position  k  a  reference  that  refers  (at  the  trace  to  which  the  Ci  call  is  appended)  to  the 
same  entity  that  r  refers  to  at  T.  The  predicate  after_every_ref(m  n)  is  defined  as  the  negation  of 
some  .none  jef^n) . 

2.3.3  Asking  for  values 

In  this  section  we  consider  the  specifications  of  functions  that  a  system  security  officer  may  use 
to  ask  for  the  roles,  role  set,  clearance  and  access  set  of  a  user,  the  maximum  classification  of 
information  that  is  allowed  to  be  displayed  on  an  output  device,  the  classification  of  an  entity, 
and  the  CCR  value  of  a  container.  These  specifications  follow  one  of  two  simple  patterns,  the 
first  of  which  being  exemplified  by  the  specification  of  current _R: 

current_R 

nf(T)  —  [L(7\current  J*(u,  v,  r))  — 

[loggcd_in(u,  T)  A  [RO(u,  T,  x.so )  V  u  =  v|  A  user_cxisls(v,  V)  A  ref „sccurc(7',  current  JR(u,  v,  r))]] 

-•nf(T  current_R(u,  v)) 

[nf(7)  A  L(7  current.RO/,  v,  r))]  —  7'.current_R(i/,  v,r)=T 

[nf(7”)  A  L(T.current_R(i/,  v,  r))]  —  [[V(7 '.current.R(u,  v,  r))  =  True  «-*  R(v,  7',  r)]  A  [V(7\current JR(«,  v,  r))  = 
False  <—  ->R(v,  T,  /•)]] 

Note  that  instead  of  giving  the  conditions  under  which  a  legal  trace  ending  in  current.R  whose 
longest  proper  prefix  is  in  normal  form  is  itself  in  normal  form,  the  second  axiom  of  this 
specification  simply  states  that  no  trace  ending  in  current_R  is  in  normal  form.  This  implies 
that  a  legal  trace  ending  in  current_R  whose  prefix  is  in  normal  form  is  itself  in  normal  form 
if  and  only  if  t/\  where  V  is  any  contradictory  formula.  We  could  just  as  easily  have  stated  the 
second  axiom  this  way,  but  the  formulation  that  was  actually  used  seems  more  to  the  point. 

The  third  axiom  implies  that  a  trace  ending  in  currentJR  is  equivalent  to  any  normal  form 
trace  that  is  equivalent  to  its  longest  prefix.  The  fourth  axiom  states  that  currentJR  returns  the 
value  true  just  in  case  the  role  set  of  user  v  at  T  contains  the  role  r.  The  role  set  predicate  R 
is  defined  as  follows: 

R(v,  T,  r)  —  [[ v  =  Root  A  r  -  ,wo|V 

3.S’  fsomc-none(2,2)(S,  add_R,  rm.R,  2  v,  3.  r\".  \  3,  r,  T)  A  ->in_aftcri(S,  delete.user,  2,  v,  T)]] 

That  is,  r  belongs  to  v’s  role  set  at  T  just  in  case  there’s  a  point  in  the  history  of  T  such  that  v 
has  existed  continuously  since  then  and  such  that  r  was  addeu  to  v’s  role  set  at  that  point  and 
not  thereafter  removed. 

Note  that  in  the  case  of  current.R,  the  return  value  of  the  function  in  question  is  a  truth 
value,  and  the  security  parameter  in  question  is  a  list,  viz.  the  list  of  roles  that  some  user  is 
authorized  to  have.  The  function  is  used  to  ask  whether  a  particular  value  is  in  the  list,  and 
returns  the  value  true  if  it  is  and  the  value  false  if  it  is  not.  The  other  functions  that  have 
this  character  are  current_RO  and  current _AS,  which  we  display  below.  The  specification  of 
current_AS  includes  a  trace  definition  of  the  predicate  AS. 


current_RO 


nf(T)  —  [L(r.current_RO(«,  v,  r))  <->  [logged J n(u,  T)  A  [RO(u,  T,  sso )  V  u  =  v]  A  user.exists(v,  T) A 
ref-secureCT",  current_RO(u,  v,  /•))][ 

->nf(7’.current_RO(u,  v)) 

[nf(7*)  A  L(7.current_RO(u,  v,  r))]  — ►  7'.current_RO(u,  v,  r)  =  T 
(nf(7)  A  L(7\current_RO(u,  v,  r))]  — - 

[[V(7\current.RO(w,  v,  r))  =  True  — >  RO(v,  T ,  r)]  A  [V(7'.current.RO(«,  v,  r))  =  False  <-»  -'RO(v,  T,  /•)]) 


current-AS 

n((T)  — *  [L(7'  current_AS(«,  v,  c,  r,  k))  «-+  [loggedJn(«,  T)  A  RO(u,  T,  sso )  A  user_exists(v,  T)  A  ref.exists(r,  T)A 
ref-secure(r,  current_AS(u,  v,  c,  r,  &))]] 

-inf(7.current-AS(«,  v,  c,  r,  k)) 

[nf(7^  A  L(7'.current_AS(u,  v,  c,  r ,  A:))]  — *  7\current.AS(u,  v,  c,  r,k)  =  T 

(nf(T)  A  L(7\current_AS(u,  v,  c,  r ,  A))]  — >  [[V(7'.current.AS(u,  v,  c,  r,  A:))  =  True  — <■  AS(v,  c,  r,  k,  7)]A 
[V(7.current_AS(u,  v,  c,  r ,  A:))  =  False  — *  -’AS^,  c,  r,  k,  T)]] 

AS(v,  c,  r,k,T)*—  [RO(v,  T,  sso) 

v35  (somejione-ref(3i3)(S,  add_AS,  rm.AS,  (4,  r),  2,  v,  3,  c,  5,  A:;  (4,  r ),  2,  v,  3,  c,  5,  k ,  7)A 
-'in^fteri (5, delete.user,  2,  v,  T)\\ 

In  cases  where  the  parameter  in  question  is  a  single  value,  the  function  involved  will  simply 
return  that  value,  as  in  the  specification  of  the  procedure  current_CU,  which  returns  a  user’s 
clearance  and  which  is  displayed  below  along  with  the  trace  definition  of  the  MMS  model 
predicate  CU: 

current.CU 

nf(T)  —  [L(7\current-CU(u,  v,  r)) «—  [loggedin(u,  T)  A  [RO(u,  T,  sso)  V  u  =  v]  A  user_exists(v.  7)A 
rcLsccure(7',  current.CU(u,  v,  r))l] 

-'nf(r.current.CU(«,  v)) 

[nf(T)  A  L(T.current_CU(M,  v,  r))]  — *•  7\currenLCU(u,  v,r)~T 
[ nf(T )  A  L(7'.current.CU(M,  v,  /))]  — *•  [V(r.currenLCU(u,  v))  =  CU(v,  T)} 

CU(v,T)  =  /  —  [3S[some.none(2,i)(5,  create.user,  set.cu,  2,  v,  3, /;2,  v,  T)  A -iinjfteri(S,  delete.user,  2,  v,  7^]  v 

[35  [somejionc(5,  set.cu,  set.cu,  2,  v,  3,  /;  2,  v,  T)  A  — •in_afteri(S,  delete.user,  2,  v,  T)]] 

The  other  procedures  whose  specifications  are  of  this  second  type  are  current.CE,  current.CCR, 
and  current.CD,  which  we  display  below  along  with  the  trace  defintions  of  their  associated  MMS 
predicates  CE,  CCR ,  and  CD: 

current.CE 

nf(T)  —  [L(/'  current.CE(u,  r))  — •  [logged _in(u,  T)  A  RO(u,  T,  sso)  A  user_cxists(v,  T)  A  rcfxxists(r.  T)A 
ref_securc(T,  current.CE(u,  r))]] 

->nf(/'.current.CE(M,  r)) 

[nf(/)A  L(7'.current.CE(M,  r))]  —  7"  current_CE(u,  r)  =  T 


[nf(T)  A  L(7\current-CE(u,  r))]  — *■  [V(T.current.CE(«,  r))  =  CE(r,  T) 

CE(r,  T)  =  /  — >  3S3C3s  [[callname(C)  =  seLCE  V  callname(C)  =  cont_create  v  callname(C)  = 
obj.create  v  callname(C)  =  downgrade]  A  arg(C,  2)  =  s  A  arg(C,  3)  =  l  A  coref(s,  S,  r,  T) 
a->3 R  in_after_refi(S.C./?,  c,  (2,  r),  3,  r,  7)  A  [c  =  delete.ref  V  c  =  downgrade  V  c  =  set.CE] 

current.CCR 

nf(T)  —  [L('7\current.CCR(u,  r)) «—  [loggedJn(u,  T)  A  RO(w,  T,  sso)  a  ref.exists(r,  T) A 
ref  _secure(7\  current.CCR(u,  /•))]] 

-inf(T.current.CCR(u,  r)) 

[nf(r)  A  L(7.current.CCR(u,  r))]  — ►  T.current_CCR(u,  r)=T 

[nf(7}  A  L(7  current.CCR(«,  r))]  — »  [V(7\current_CCR(«,  r))  =  CCR(r,  7) 

CCR(r,  T)  =  True  <—  3Co3/?oVCV/?  [[callname(C)  =  set.CCR  A  prefix(/?. C,T)  A  coref(arg(C, 2),/f,r, T)]  <— 
prefix(7?.C,  Ro-Co)]  A  arg(C,  3)  =  True] 

CCR(r,  T)  =  False  ~  CCR(a  T)  /  True 

current.CD 

nf(T)  —  [L(T.current.CD(u,  d))  — >  [logged  Jn(u,  T)  A  RO(«.  T.  sso )  A  device(<7)]] 

->nf(T.current.CD(u,  d)) 

[nf(7)  A  L(T.current.CD(u,  d))]  — *  T.current.CD(u,d)  =  T 

[nf(70  A  L(T.  current.CD(u,  d))]  —  V(7\current-CD(u,  d))  =  CD(d,  T)] 

CD(d,T)  =  x  «—  [35  3C  [callname(C)  =  set.CD  A  x  =  arg(C,  3)  A  V£>V/?[prefix(/7Z?,5.C)  <-*■  [prefix(7?.D,  7)  A 
callname(O)  =  set.CDAcoref(arg(D,  2),  /?,  d,  7)]]]v[j:  =  unclassifiedA->35  3C  [callname(C)  =  set_CDAprefix(S.C,  T)  A 
corcf(arg(C,  2),  5,  d,  7)]] 

2.4  References  and  Entities 

In  the  MMS  security  model,  references  to  entities  can  be  direct  or  indirect.  A  direct  reference 
is  a  number  that  serves  as  the  name  of  an  entity  in  the  message  system.  An  indirect  reference 
is  a  sequence  n\  :  :  ni+\  of  numbers,  where  n\  nl+\  represents  the  n,+ith  element  in 

the  container  to  which  n\  refers.  In  the  MMS  model  trace  specification,  references  are 

defined  recursively  by  the  following  axioms,  where  k  is  a  variable  that  ranges  over  the  positive 
integers. 

Recursive  axioms 

direct _refOt)  A  Vr3£[direct.ref(r)  — >  r  - 
direct_ref(r)  — »  reference(r) 
referenceO)  — >  reference^  :  k) 

reference(r)  — >  [direct _ref(r)  v  3s  3k  [reference^)  A  r  -  s  :  &]] 


2.4.1  Identifying  references 

It  can  safely  be  assumed  that  in  the  course  of  writing  and  modifying  messages,  entities  will 
frequently  change  their  composition.  Entities  can  be  inserted  in  one  another,  deleted  from  one 
another,  or  deleted  altogether,  for  example.  Yet  we  want  to  ensure  that  an  entity  retains  its 
security  classification  through  such  changes,  unless  the  classification  is  explicitly  modified,  and 
we  want  the  same  access  privileges  to  apply  to  an  entity  after  it  is  modified,  unless  these  access 
privileges  are  modified.  In  order  to  use  references  to  identify  an  entity  after  it  has  been  changed 
we  define  the  conditions  under  which  one  reference  can  be  said  to  refer  to  the  same  entity  at 
trace  T  that  another  reference  refers  to  at  trace  S.  This  is  done  by  means  of  the  coref  predicate, 
a  four-place  relation  that  is  governed  by  the  following  axioms: 

Coreference 

coref(r,  T,  r,  T) 

coref (r,  7,  s,  ft)  —  corcf(s,  R,  r,  T) 

coref(r,  T ,  s,  R )  —  [coref(5,  R  t.  S)  —*  coref(r.  T,  l,  S» 

callname(C)  =  insert  — ► 

[coref(arg(C,  2),  T,  arg(C,  3) :  arg(C,  4),  T.C  A  [0  <  k  <  arg(C,  4)  —  coref(arg(C,  3) :  k,  T,  arg(C,  3) :  k,  T.C )]  A  [[jfc  > 
arg(C,  4)  A  ref.exists(arg(C,  3) :  k,  7)1  —  coref(arg(C,  3) :  k,  T,  arg(C,  3 ):(k+  1),  7'.C)] 

[[callname(C)  =  delete_ref  A  coref(arg(C,  2),  S,s  :  k,  7)1  V  [caIlname(Q  =  remove  A  coref(arg(C,  3),  S,  arg (C,  2)  : 
arg(C,  4),  73  A  k  =  arg(C,  4)  A  j  =  arg(C,  3)]  — +  [0  <  n  <  k  —  coref(5  :  n,T,s  :  n,  f.Q]  A  [[«  >  k  A  ref.exists(5  : 
n ,  7")]  —  corefO  :  n,T,s  :  (n—  1),  T.C)]] 

[callnamc(C)  /  deletejref  A  callname(C)  /  insert  A  callname(C)  ^  remove]  —  [coref (r,  T ,  t,  S)  — ►  coref(r,  T.  i,  S.Q] 
coref(r,  T,s  :  k,T)  ■—  3C3S  [prefix(5.C,  T)  A  callname(C)  =  insert  A  coref(arg(C,  2),  S,  r,  T)  A  coref(arg(C.  3),S,  s,  7)] 

The  first  three  axioms  state  that  coref  is  an  equivalence  relation  if  regarded  it  as  a  binary  relation 
on  pairs  (r,  T),  where  r  is  a  reference  and  T  is  a  trace.  The  third,  fourth,  and  fifth  axioms  describe 
how  the  identity  of  an  entity  is  preserved  when  modified  using  the  procedures  insert,  delete_ref, 
and  remove,  which  are  the  only  entity-modifying  procedures  presented  here.  If  a  container  is 
modified  by  inserting  an  entity  into  it  at  position  k,  then  the  entities  at  positions  1  through  k  —  1 
in  this  container  can  still  be  referred  to  in  the  same  way;  of  course,  the  newly  inserted  entity 
becomes  the  /ah  element  of  the  container;  and,  finally,  those  entities  formerly  in  positions  k+  1 
or  higher  now  have  their  positions  incremented  by  one.  If,  on  the  other  hand,  a  container  is 
modified  by  delete_refing  or  removeing  an  entity  from  position  k ,  then  the  entities  that  were 
in  positions  1  to  k  —  1  keep  the  same  position,  whereas  entities  in  positions  k  +  1  and  higher 
have  their  positions  decremented  by  one.  Coreference  is  not  modified  by  procedures  other  than 
deletejref,  insert,  and  remove.  Finally,  coreference  holds  between  references  r  and  ,v :  k  only  if 
r  has  been  inserted  into  5. 

Most  of  what  needs  to  be  said  about  entities  can  be  put  entirely  in  terms  of  references,  but 
for  some  purposes,  such  as  the  definition  of  potential  modification,  we  will  need  to  say  things 
directly  about  entities.  Entities  occur  in  this  specification  as  the  value  of  an  entity  function  E 
which  must  satisfy  these  conditions: 

VrV.vV'/'V/?  [corcf(r,  7,  s,  R)  —  E(r.  T)  =  E(s ,  /?)] 

VrV7'|rcf.cxists(r,  T)  —  3 yy  =  E(r,  T) 


wv 


entity _exists(x,  T)  <—  3r  x  =  E(r,  T) 
entity(x)  <-+  3 7  entity  _exists(x,  7) 

[entity(x)  A  entity(y)  — ♦  [x  =  y  «-►  3S  373ri  3r2  [£(rt  ,S)  =  x  A  E(r2,  T)  =  y  A  coref^ ,  S,  r2, 7)]J 
VxVr  [entity _exists(x,  7)  — *  3z  [z  =  value(x,  7)  A  string(z)]] 

Tlie  based_on  relation,  which  identifies  those  references  that  refer  to  the  pieces  of  an  entity,  is 
defined  recursively: 

VrV£  Ve  [refjexists(r  :  k,  T)  A  £(r,  7)  =  e]  — ►  based.on(r  :  k,e,T) 

VrVkVe  [rcf.exists(r  :  k,T)  A  based.on(r,  e,  7)]  — >  based.on(r  :  k,e,T) 

2.4.2  Creating,  modifying,  and  displaying  references 

The  procedures  obj_create,  conLcreate,  insert,  remove,  delete_ref,  identify,  and  display  can 
be  used  to  create,  modify,  and  display  references. 

Entities  are  of  two  kinds:  objects  and  containers.  An  object  is  an  atomic  or  text-bearing 
entity;  a  container  is  any  sequence  of  entities.  Objects  and  containers  are  created  using  the 
procedures  obj_create  and  cont_create,  respectively. 

obj  ..create 

nf CO  —  [L(7.obj_create(u,  k,  l,  p))  «-►  [logged  Jn(u,  T)  a  string(p)  A  -.35  [prefixes,  T)  A  ref.existsOfc,  5)] 

A  ref.  secure  (7,  obj.create(«,  k,  l,  /?))]] 

[nf(7)  A  L(7  obj_create(w,  k,  l,  p))]  — ►  nf(T.obj.create(«,  k,  /,  p)) 

cont.create 

nfCD  —  [L(7.cont_create(i<,  k,  /))  «-►  [loggedJn(u,  7)  A  -.35  [prefix(5,  T)  A  ref_exists(/t,  7)] 

Aref.secure(7,  cont.create(u,  k,  0)11 

[nf(0  A  L(7cont.create(u,  k,  /))]  — *  nf(7.cont_create(«,  k,  1)) 

When  an  object  is  created,  it  is  assigned  a  direct  reference  k,  a  security  classification  /,  and  a 
value  p,  which  is  the  textual  string  associated  with  the  object.  When  a  container  is  created  it 
is  assigned  only  a  direct  reference  and  a  security  classification.  Entities  are  inserted  into  and 
removed  from  containers  using  the  insert  and  remove  commands,  respectively. 

insert 

nf(7)  —  [L(7.insert(u,  x,  y,  k ))  <—  [logged_in(u,  T)  A  [logged  Jn(«,  y,  7)  — ►  CU(«,  7)  >  CE(y,  7)] 

Aref.existsfx.  7)Aref_exists(y,  7)aCE(jc,  7)  <  CE (y,  7)A-.part-of(y,  x,  T)Ak  >  OA AS(u,  insert,  x,  2, 7)Acontainer(y)A 
AS (u,  insert,  y,  3, 7)  A  ref_secure(7,  insert(«,  x,  y,  k))  A  [k  =  1  V  3j  H(j,  T,y,k-  1)]]] 

(nf(7)  A  L(7.insert(u,  x,  y,  it))]  — *  nf(7.insert(u,  x,  y ,  k)) 


it 


$ 


remove 

nf  (7)  —  [L(7.remove(u,  x,  y,  <:))  —  [loggcdJn(u,  T)  A  ref.exists(x,  T)  A  k>  0  A  AS(m,  remove, x,  2, 7) 

A  AS  (u.  remove.  y,  3.  7)  A  corcf(y,  7,  x  :  k,  7)  A  ref.secure(7,  remove(«,  x,  y,  £))]] 

[nf(7)  A  L(7.remove(ii,  x,  y.  £))]  — >  nf(7.remove(«,  x,  y,  k)) 

Note  that  inserting  and  removeing  always  preserve  normal  form-hood;  this  is  intuitively  correct, 
since  one  wants  any  legal  modification  of  an  entity  to  constitute  a  change  in  the  state  of  the 
module.  Note  also  that  legality  requires  the  classification  of  the  inserted  entity  x  to  be  no  greater 
than  the  classification  of  the  container  y  into  which  it  is  inserted.  This  requirement  is  part  of  the 
MMS  definition  of  state  security. 

removeing  an  entity  from  a  container  does  not  destroy  the  entity  being  removed.  For  this 
the  delete_ref  command  must  be  used. 

delete_ref 

nf(7)  —  [L(7'.delete_ref(M,  r))  — -  [logged  Jn(w,  T)  A  ref.exists(r,  T)  A  A S(u,  delete.ref.  r,  2,  T) 

Arcf.sccure(7.  delete  j-ef(«.  r))  \  \ 

[nf(T)  A  L(7'. delete jref(u,  r))]  —  nf(7.deletejref(u, r)) 

Note  that  delete_refing  a  reference,  like  removeing  a  reference,  preserves  normal  form-hood. 

We  have  noted  that  deletejef  can,  whereas  remove  cannot,  be  used  to  destroy,  i.e.  truly 
delete,  an  entity.  The  reader  may  wonder  why  this  is  so,  since  nothing  about  the  way  the 
two  procedures  are  specified  suggests  this.  The  answer  lies  in  the  definition  of  existence  for 
references: 

rcf.cxists(r,  7)  —  3S3C  [some_nonc-ref(0  0)(S.  c,  delete.ref,  (2,r);(2,  r),T)  A  [c  =  obj.create  v  c  =  cont.create]] 

An  entity  (a  reference,  from  the  user’s  point  of  view)  exists  just  in  case  there  is  a  point  at  which 
it  was  created  and  after  which  it  was  never  deleted. 

An  entity  can  be  displayed  to  an  output  device  in  any  of  a  number  of  ways.  One  can  display 
its  value,  its  classification,  its  CCR  value,  its  message  type,  or  its  direct  reference.  Hence  the 
range  of  legal  switches  in  the  third  argument  of  the  display  procedure.  Note,  however,  that 
display  is  a  procedure,  not  a  function.  Since  displayed  material  need  not  be  returned  to  the 
console  that  executed  it,  treating  display  as  a  function  would  not  be  appropriate. 

display 

nf(T)  —  [L(7'.display(u.  r.f,  d))  —  [logged.in(«.  7) A  rcf.cxists(r,  7) A  dcvicc(d) A  CU(«,  7)  >  CE(r.  7) A  CD(d.  7)  > 
CE<7.  7)  A  AS (u,  display,  r,  2,  7)  A  [f  =  value  V/  =  direct j-ef  V/  =  classification  V/  =  type  V/  =  cc.r.value ]  A 
[f  =  value  —  [  part. off  r.  d.T)  A  3S  T  =  S.display(u.  r,  classification,  d)]]  A  Vz  [[/  =  direct  j-ef  A  bascd.onfr,  z.  7)  A 
CCR(z.  7)  =  Truej  —  CU(m.  ']')  >  CE (z,  /"> J J  A  ref.sccure(7',  display(«.  r.f.  d))]J 

1  nf(7")  A  L(7.display(u,  r.f.d)))  —  [nf(7.display(u,  r.f,  d))  —  VSVC  [[prcfix(S.C,  T)  A  corcf(arg(C,  2).  S.  r.  7)  A 
callnamc(Q  =  display  Aarg(C.  3)  =/  Aarg(C,4)  =  d\  —  3R3D  [prcfix(S,  /?)A[[callnamc(D)  =  display  Atirg(D.4)  = 
d  A  corcf(arg(D,  2).  R.  r.  7)  A  arg(D.  3)  /  f\  v  [callnamc(D)  =  delete.ref  A  corcf(arg(D,  2),  R,  r.  7)|  V  [arg(D,  4)  = 
d  A  callnamc(D)  =  identify] 111 

(nf(7)A  L(7.display(a.  r.f,  d))A3S  3 C  [prcfix(S.C,  7)Acorcf(arg(C,  2),  S.  r,  7)Acallnamc(Q  =  display  Aarg(C,  3)  = 
/  A  arg(C,  4)  =  d  A  -i 3 R  3D  |prcfix(S,  R)  A  [[callname(D)  =  display  A  arg(D,  4)  =  d  A  corcf(arg(D.  2),  R.r.T)  A 
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arg(D,  3)  ^/]v(callnamc(D)  =  delete _ref  Acorcf(arg(D,  2 ), /?,  r,  T)]v  [arg(D.4)  =  d  Acallnamc(D)  =  identify]]]]  — » 
7'.display(u,  r,f,  d)  =  T 

The  special  conditions  in  the  legality  definition  associated  with  the  cases  where  /  =  value  and 
/  =  direct-ref  help  to  ensure  that  the  MMS  properties  of  State  Security  and  CCR  Security  hold. 
The  normal  form  statement  says  that  a  call  to  display  preserves  normal  form-hood  only  if  it  is 
not  made  redundant  by  previous  calls  to  display. 

Next  we  come  to  the  procedure  identify,  which  allows  one  to  display  a  user’s  userjd,5 
clearance,  access  set,  roles,  and  role  set  on  an  output  device,  identify,  like  display  is  a  procedure 
rather  than  a  function  and  for  the  very  same  reason. 

identify 

nf(7)  —  [L(X  identify(u,  N.f.  dj)  — *  [logged  Jn(u,  T)  A  device(d)  A  user(N)  A  [f  =  userJd  V/  =  clearance  V/  = 
accessset  vf  =  role. set  vf  =  roles]  A  ref_secure(T,  identify^,  N,f,  d)))) 

[nf(73  A  L(T.  identify^,  N.f,  d))\  —  [nf(7\  identify  (n,  N, /,  d))  *->  NS  VC  [[prefix(S.C,  T)  A  callname(Q  =  identify  A 
arg(C,  2)  =  N  A  arg(C,  3)  =/  A  arg(C,  4)  =  d]  — ►  37?  3D  [prefix(S,  R)  A  arg(D,  4)  =  d  A  [[callname(D)  =  identify  A 
arg(D,  2)  =  N  A  arg(D,  3)  ^/]  V  callname(D)  =  display]] 

[nf('r>  A  L(T.identify(M,  iV,/,  d))  A  3S3C[prefix(S.C,  73  A  callname(C)  =  identify  A  arg(C,  2)  =  N  A  arg(C,  3)  ^ 
/  A  arg(C,4)  =  JA  ->37?  3 D  [prefixes.  C,  7?)  A  arg(D,  4)  =  d  A  [[arg(D,  2)  -N  A  callname(D)  =  identify  Aarg(D,  3)  = 
f]  V  caltnarne(D)  =  display]]]  —  T.identify(w,  TV,/ ,  d)=T 


2.5  Downgrading  and  Releasing 

The  final  two  procedures  in  the  specification  are  downgrade  and  release.  Since  these  procedures 
always  modify  the  state  of  the  module,  they  are  always  normal  form  preserving. 

downgrade 

nf(7)  —  [L(7  downgrade^,  r,  7)  — •  [RO(w,  downgrader,  T)  A  logged  Jn(a,  T)  A  userxxists(u,  T)  A  refxxists(r,  T)A 
CE (r.  T)  >  lANtNk  [H(t,  T.  r,  k )  —  CE(f,  73  <  7]  A  callnamc(C)  =  downgrade  A  AS(u,  downgrade,  r,  2,  T)A 
rcf.securcff,  downgraded,  r,  01] 

[nf(73  A  L(T  downgraded,  r.  7)]  — -  nf(7  downgraded,  r,  /)) 
release 

nf(7)  —  |L(7\  released-  r)  —  [RO(u.  releaser, T)  A  uscrxxistsd,  7)  A  loggedJnd,  T)  A  refxxists(r,  7)  A  T(r,  73  = 
DM  A  ASd.  release,  r,  2,  T)  A  rcf.sccurc(X,  released-  r)]] 

(nf(/)A  L(/  relense(u,  r)\  —  nf(7.  released,  r)) 

Note  that  the  legality  condition  of  downgrade  requires  the  issuer  of  the  command  to  have 
the  role  of  downgrader.  Similarly  an  issuer  of  release  must  have  the  role  of  releaser.  These 
requirements  ensure  that  the  MMS  conditions  of  Downgrade  Security  and  Release  Security  are 
met.  Also,  in  order  to  ensure  State  Security,  a  container  must  not  be  downgraded  to  have  a 
classification  lower  than  that  of  any  of  the  entities  that  it  contains. 


’Displaying  a  userjd  is  a  trivial  operation,  since  in  this  specification  we  do  not  distinguish  user  names  from 
uscr.ids. 
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2.6  Security 


The  MMS  model  prescribes  eight  basic  security  properties:  state  security,  access  security,  copy 
security,  CCR  security,  translation  security,  set  security,  downgrade  security,  and  release  security. 
In  this  section  we  consider,  one  by  one,  each  of  these  security  properties  and  give  the  outline  of 
a  proof  that  they  are  satisfied  by  any  module  that  meets  the  specification  outlined  above. 

2.6.1  State  Security 

The  original  MMS  definition  of  state  security  has  five  parts:  (i)  no  c  ntainer  may  have  a  lower 
clearance  than  the  entities  it  contains,  (ii)  no  entity  displayed  on  a  user’s  terminal  may  have 
a  classification  that  is  higher  than  the  user’s  clearance,  (iii)  no  entity  may  be  displayed  on  an 
output  device  unless  its  classification  is  displayed  along  with  it,  (iv)  no  user  may  have  a  role 
that  does  not  belong  to  his  current  role  set,  and  (v)  the  actual  classification  of  an  output  device 
may  not  exceed  its  authorized  maximum  classification.  These  requirements  are  specified  in  the 
following  definition  of  the  trace  predicate  state_secure. 

state^ecure(T)  <—  [VrVsV/fc  [H(r,  7,  s,  k)  —  CE(s,T)  <  CE(r,  T)]  AVoVuVkVr  [[H(o,T,  r,  k)  A  logged  _in(«,  o,  T)]  — * 
CU(u,  T)  >  CE(r.  7)]  A  Vo  Vx  [D(o.  x,  value,  T)  —>  D(o.  x.  classification ,  7)]  A  Vu  [RO(u,  T ,  r)  —  R(u.  T.  r)]  A 
Vo  [CD(o,  T)  >  CE(o,  T))] 

Proving  that  state  security  holds  simply  means  proving  that  every  legal  trace  satisfies  this  pred¬ 
icate,  i.e. 

Lemma  1  (State  Security)  VT[L (T)  state_secure(7)]. 

Proof:  Consider  the  first  clause.  Suppose  that  L(T)  and  H(r,  T ,  s ,  k )  hold.  Then,  by  the  definition 
of  H,  it  follows  that  r  :  k  is  coreferential  with  s.  By  the  axioms  for  coref,  this  means  that  the 
entity  E(s,  T),  to  which  s  refers  at  T,  was  at  some  time  inserted  into  the  entity  E(r,  T).  Since 
L(T)  holds,  every  prefix  of  T  must  be  legal,  and  so  the  insertion  of  E(s ,  T)  into  E(r ,  T)  must 
have  been  a  legal  operation.  Hence,  at  the  time  of  insertion  S,  it  must  have  been  true  that 
CE(5,  S)  <  CE(r,  5).  But  since  T  is  a  legal  trace,  all  of  its  prefixes  are  legal,  and  since  the 
downgrade  operation  is  specified  so  that  a  container  cannot  legally  be  downgraded  to  below 
the  level  of  its  most  highly  classified  element,  and  in  view  of  the  Downgrade  Security  Lemma 
(proved  below),  it  follows  that  CE(s,  T)  <  CE(r,  T). 

Consider  the  second  clause,  and  suppose  that  L(T),  H (o,T,r,k)  and  logged_in(/<,  o,  T)  all 
hold.  From  H(o,  T.  r ,  k)  it  follows  that  coref(o  :  k.  T ,  r,  7),  and  since  logged_in(M.  o ,  T),  it  must 
be  that  u  inserted  E(r.  T)  into  o  during  his  current  session.  (The  latter  follows  from  the  last 
coreference  axiom  and  from  the  fact  that  logging  out  is  only  legal  if  one’s  terminal  is  clear,  so 
that  o  must  have  been  empty  when  u  logged  in.)  Since  u  himself  or  herself  inserted  E{r.T)  into 
o,  it  follows  from  the  legality  condition  of  insert  that  u  had  the  necessary  clearance  at  the  time 
of  insertion.  Since  references  can  only  be  downgraded,  and  since  the  clearance  of  a  user  cannot 
be  changed  except  when  he  is  logged  out,  it  follows  that  CU(w,  T)  >  CE(r,  T). 

Regarding  the  third  clause,  suppose  that  D(<?,  x.  value ,  T)  holds.  Then,  by  the  definition  of  D, 
it  follows  that  from  some  time  in  the  history  of  T,  say  at  trace  S,  the  value  of  x  was  displayed 
on  o.  The  legality  clause  for  display  implies  that  the  last  procedure  call  in  S  is  the  operation  of 
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displaying  .t’s  classification  on  o.  This  classification  must  still  be  displayed  at  T,  since  x  has  not 
been  removed  from  o  in  the  meantime,  hence  D(o,  x,  classification ,  7)  holds  as  required. 

Regarding  the  fourth  clause,  suppose  that  RO(«,  7.  r)  holds.  Without  loss  of  generality, 
suppose  that  u  is  not  Root,  T  is  not  the  empty  trace,  and  r  is  not  sso.  Then,  by  the  definition  of 
RO,  it  follows  that  r  was,  at  some  time  S  in  the  history  of  7,  added  but  never  thereafter  removed 
from  the  list  of  u' s  roles.  But  then  by  the  legality  condition  of  add_R  it  follows  that  r  was  in  «’ s 
role  set  at  5.  And,  since  R  has  been  a  role  of  u  continuously  since  S,  it  follows  from  the  legality 
condition  of  rm_R  that  r  was  never  removed  from  u's  role  set.  Hence  R (u.  7.  r )  as  required. 

Regarding  the  fifth  clause,  suppose,  without  loss  of  generality,  that  CD(o,  T)  is  higher  than  the 
value  unclassified.  Then  it  was  set  higher  at  some  point  in  the  history  of  7 ;  let  S  be  the  moment 
of  the  last  such  setting,  and  let  /  be  the  level  to  which  CD  was  last  set.  The  legality  condition  of 
set_CD  implies  that  /  >  CE(o.  S)  holds.  Now  consider  moments  since  5;  by  hypothesis,  CD  has 
not  been  modified  since  5,  but  if  CE  has  been  modified,  then,  by  the  legality  condition  of  set_CE, 
it  follows  that  any  such  modification  was  to  a  level  no  greater  than  /.  Hence  CD(o,  T)  >  CE(o,  7), 
as  required.  | 

2  6.2  Access  Security 

The  original  \1MS  model  definition  of  access  security  states  that  a  user  may  perform  a  given 
operation  involving  an  entity  only  if  the  triple  cor-'isting  of  (a)  either  the  user  or  one  of  his  roles, 
(b)  the  operation,  and  (c)  the  entity’s  position  appear  in  the  entity’s  access  set.  In  order  to  state 
this  requirement  in  terms  of  traces  we  define  the  predicate  acc_secure,  which  holds  of  a  trace 
and  a  procedure  call  just  in  case  the  given  procedure  call  itself  does  not  violate  access  security. 

acc.securc(7.  C)  —  [rcfcrencc(arg(C.  k))  —  [  AS(arg(C,  1),  callnamc(C),  arg(C,  k),  k,  l')  v  3r  [RO(arg(C,  1),  T,  r)  A 
AS(r,  callnamc(C).  arg(C.  k).  k.  7")])] 

Proving  that  the  module  specified  here  meets  the  requirement  of  access  security  means  proving 
that  every  legal  occurrence  of  a  procedure  call  satisfies  this  predicate,  i.e.  we  must  prove: 

Lemma  2  (Access  Security)  V7VC[L(7.C)  — +  acc_secure(7,  C)]. 

Proof:  By  the  definition  of  ref-secure  and  by  inspection  of  the  legality  condition  of  each  proce¬ 
dure.  | 


2.6.3  Set  Security 

Set  security  is  really  two  requirements:  (i)  a  change  in  the  maximum  classification  of  a  device 
or  the  classification  or  role  set  of  a  user  may  only  be  made  by  a  user  with  the  role  of  system 
security  officer,  and  (ii)  a  change  in  the  role  of  a  user  may  only  be  made  by  the  user  himself  or 
by  a  system  security  officer.  Proving  that  our  specification  meets  this  requirement  means  proving 
that  every  legal  occurrence  of  a  procedure  call  satisfies  the  predicate  set.secure: 

sct_sccurc(7.  C)  ~  (VoVxUCD^.T)  CD(o,  T  Q  V  CU(jc,  T)  £  CU(x,  T.Q  V  3/  ->[R(jc,  T.l)  =  R(x.  T  C.  /)]]  — 
RO(arg(C.  1)  7  ,w)]A  [Vm|3MRO(m.  7’,  0  =  RO(m,  7  .C.  7)]  —  \u  =  arg(C,  1)  v  RO(«.  T,  .wo)]]) 
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Lemma  3  (Set  Security)  VTVC[  L(r.C)  — >  set_secure(7,  C)]. 


Proof:  There  are  four  cases  to  consider.  To  begin  with,  consider  the  case  where  CD(o,  T)  f 
CD(o,  T.C)  holds.  From  this  and  the  definition  of  CD  it  follows  that  callname(C)  =  set_CD. 
Since  L(T.C)  holds,  we  have  by  the  legality  axiom  for  set.CD  that  RO(arg(C,  1),  T,  sso),  as 
required. 

Suppose  next  that  CU(x,  T)  £  CU(x,  T.C).  From  this  and  the  definition  of  CU  it  follows  that 
callname(C)  =  set.cu.  Since,  again,  L(T.C)  holds,  we  have  by  the  legality  axiom  for  seLcu  that 
RO(arg(C,  1),  T,  sso),  as  required. 

Suppose  that  — >[R(jc,  T,  /)  =  R(jr,  T.C,  /)]  holds;  there  are  two  cases.  If  R(x.T.l)  holds  but 
R (x.T.C.l)  does  not,  then  callname(C)  =  rm_R,  by  the  definition  of  R.  But  since  L (T.C)  holds, 
it  folio: /s  from  the  legality  axiom  for  rm_R  that  RO(arg(C,  1),  T,  sso),  as  required.  If  ROc,  T.C.  1) 
holds  but  R(x,  T.  1)  does  not,  then  callname(C)  =  add_R,  by  the  definition  of  R.  By  a  similar 
argument,  it  follows  again  that  RO(arg(C,  1),  T,  sso). 

Finally,  suppose  that  -'[RO(«,  T,  /)  =  RO(m,  T.C,  /)];  the  argument  and  case  structure  are 
exactly  as  for  the  previous  case,  except  that  in  this  case  it  follows  that  [m  =  arg(C,  1)  V 
RO(m.  T.  sso)].  | 

2.6.4  Downgrade  Security 

To  express  downgrade  security  we  need  the  following  predicate,  which  holds  of  an  occurrence  of 
a  procedure  call  just  in  case  that  occurrence  either  brings  about  no  downgrade  in  the  classification 
of  any  entity,  or,  if  it  does,  then  it  is  an  invocation  of  the  downgrade  procedure  by  a  user  with 
the  role  of  downgrader. 

downgrade_secure(T,  Q  — >  Vx[[->device(;c)  A  CE(x,  T)  >  CE(x,  T.C)}  — * 

[callnamc(C)  =  downgradeA 
RO(arg(C,  1),  T.  downgrader )]] 

To  establish  Downgrade  Security  we  prove: 

Lemma  4  (Downgrade  Security)  VTVC[L(T.C)  — ►  downgrade_secure(7\  C)  ]. 

Proof:  Suppose  that  CE(x, T)  >  CE(x,T.C)  holds.  Since  x  has  a  classification  at  T,  C  must 
not  be  a  call  to  either  the  procedures  cont.create  or  obj.create,  and  since  x  is  not  a  device, 
C  must  not  be  a  call  to  set.CE,  either.  Hence,  by  the  definition  of  CE  it  must  be  a  call  to 
downgrade,  as  required.  And  since  T.C  is  legal,  it  follows  by  the  legality  axiom  of  downgrade 
that  RO(arg(C,  1  ),T,  downgrader),  as  required.  | 

2.6.5  Release  Security 

For  establishing  release  security  we  need  this  predicate. 

rcleasc-securccr,  Q  —  [[T (r,  T)  =  RM  —  [T(r.  T.C)  =  RM  A  V«  [RE(r,  7  ,  u)  —  RE(r,  T.C.  u)H  A  [|T(r.  T)  /  RM  A 
T(r,  T.C)  =  RM\  —  [RE(/-,  T.C,  arg(C,  1))  A  callname(Q  =  release  A  arg(C,  2)  =  r  A  RO(arg(C.  1 ).  T.  rcleascr)  a 
T(r,  T)  =  DM]]] 


Lemma  5  (Release  Security)  VTVC[  L (T.C)  — >  release_secure(T,  C)]. 

Proof:  There  are  two  cases.  Suppose  that  T(r,  T)  =  RM;  then  callname(C)  f  release,  by  the 
legality  axiom  for  release,  which  also  implies  that  RE(r,  T,  u )  — >  RE(r,  T.C,  u),  since  T  is  a  prefix 
of  T.C. 

Suppose  instead  that  T(r,  T)  f  RM  but  T(r,T.C)  =  RM.  In  this  case  it  follows  from  the 
definition  of  T  that  callname(C)  =  release  and  arg(C,  2)  =  r,  as  required.  By  the  legality  of  T.C 
and  by  the  legality  axiom  for  release  it  follows  that  RO(arg(C,  1),T,  releaser)  holds,  as  required, 
and  by  the  definition  of  DM  it  follows  that  T(r,  T)  =  DM,  as  required.  | 

2.6.6  Translation  Security 

In  order  to  prove  translation  security  we  need  this  predicate: 
trans.secure(7',  Q  — »■  Vo  Vx  Vz  Vm  [[ logged Jn(«,  o,  T.C)  A  direcLref(x)A 

D(o,x,  direct-ref ,  7  Q]  —  Vs  [3r3/k  [arg(C,  k.)  =  r  A  £(r,  T)  =  E(x,  T)  A  based.on(r,  z,  7)  A  E(s,  T)  =  z  A  CCR(s,  T)]  — * • 
CU(«,T)  >  CE(s,  T)U) 

Lemma  6  (Translation  Security)  VTVC[L(T.C)  — *  trans_secure(T,  C)]. 

Proof:  Suppose,  as  required,  that  a  direct  reference  to  an  entity  is  being  displayed  on  the  terminal 
of  a  user  who  is  logged  in;  i.e.  suppose  that  D(o,x,  direct-ref  T.C)  and  the  other  hypotheses  of 
trans_secure(T.  C)  hold.  Then,  by  the  definition  of  D,  there  is  a  prefix  S.C  of  T  such  that  C  is  a 
call  to  display  and  direct-ref  is  its  third  argument.  By  the  legality  of  S.C  and  the  legality  axiom 
of  display,  it  follows  that  CU(u,  T)  >  CE (s,  T),  as  required.  | 

2.6.7  Copy  and  CCR  Security 

Copy  and  CCR  security  are  based  on  the  notion  of  potential  modification,  for  which  a  rather 
complicated  trace  definition  is  given  in  the  appendix  to  this  report.  The  idea  behind  potential 
modification,  is  this:  a  procedure  call  C  potentially  modifies  a  reference  r  at  a  trace  T  with  an 
entity  y  as  a  contributing  factor  if  and  only  if  there  is  at  least  one  trace  S  that  would  be  equivalent 
to  T  except  for  the  values  of  some  entities,6  such  that  C  executed  at  5  modifies  some  function 
F  of  r,  where  F  is  taken  from  the  following  list:  access  set,  containment,  value,  CCR  value, 
classification,  or  message  type,  and  where  the  F-value  of  r  varies  depending  on  the  (entity)  value 
of  y.  Copy  security  requires  that  any  such  contributing  factor  have  a  classification  no  higher 
than  r  itself  has.  CCR  security  requires  that  if  y  is  an  entity  that  is  based  on  a  CCR  container  x, 
and  if  y  is  a  contributing  factor  in  the  potential  modification  of  some  reference,  then  the  security 
clearance  of  the  user  submitting  the  procedure  call  must  be  at  least  as  great  as  the  classification 
of  x. 

The  relevant  trace  predicates  for  copy  and  CCR  security  are  these: 

copy. see urc(7\  Q  — *  VrVy  [pjnodify(C,  r,  T,  y)  — ►  3x[y  =  E(x,  T)  A  CE(x,  T)  <  CE(r,  T)] 

6Such  an  S  would  be  trace  equivalent  to  T,  since  entity  values  do  not  figure  in  trace  legality  and  since  there 
are  no  functions  in  the  module  that  return  them  as  values.  Equivalence  up  to  a  single  reference  is  expressed  in  the 
o.cquiv  predicate. 


a 


CCR.secure(7\  C)  <— •  VuWVzVy  [[3£r  =  arg (C,  k)  A  based_on(r,  y,  7)  A  3s  [y  =  E(s ,  D  A  CCR(s, 7)  A 
p_modify(C  z,  7,  £(r,  7))]  —  CU(u,  7)  >  CE(z,  7)] 

Lemma  7  (Reference  Security)  V7'VC  f  L(7.C)  — *  [copy_secure(7,  C)  A  CCR_secure(7'.  C)  ]. 

Proof:  Suppose  that  L (T.C)  holds.  Since  ref_secure(T,  C)  holds  of  each  7  and  C  such  that  T.C 
is  legal,  it  suffices  to  prove  that  p_modify(C,  r,  T,y )  — *  3s3k[coref(r,T,  s,T)  A  arg (C.k)  =  5]. 

Assume  that  p_modify(C,  r,  T,  y)  holds.  Let  S  be  given  such  that  5  =  7  and  -'e_equiv(5.  S.C.  E(r ,  S)) 
both  hold.  Let  F  be  an  entity  function  for  which  5  and  S.C  are  not  equivalent.  Note  that  since 
E(r,  5)  is  assumed  to  be  well-defined,  it  follows  that  C  is  not  cont.create  or  obj.create.  Note 
also  that  no  matter  which  entity  function  F  is,  it  follows  from  the  definition  of  the  7-predicate 
(e.g.  the  definition  of  CE(x,  7))  that  C  must  be  a  certain  procedure  that  sets  the  value  of  7. 
Obviously,  some  reference  to  E(r,  7)  will  have  to  be  mentioned  in  the  call  to  any  procedure  that 
sets  the  value  of  7  for  7(r,  5),  and  so  it  follows  that  35  3k  [coref(r.  7,  s.  T)  A  arg(C.  k )  =  s,  as 
required,  g 

Finally,  we  summarize  the  eight  basic  security  properties  in  the  predicate  MMS_secure: 

MMS.secure(i ,  Q  <->  [acc_sccure(7,  QAcopy_sccurc(7,  C)ACCR-secure(7,  C)Atrans_sccure(7,  QAsel.secure(7,  Qa 
downgrade_secure(7,  C)  A  rclcase_secure(7,  Q  A  state_secure(7)] 

These  lemmas  and  this  definition  suffice  to  prove  our  main  theorem. 

Theorem  1  (MMS  Security)  V7VC[L(7.C)  -+  MMS.secure(7,  C)  ]. 
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Appendix  -  The  MMS  model  specification 


Procedures 

login 

nf(T)  — *  [1/7  Iogln(a,  d))  — -  (->loggjMi_iJT(y.  d,  T)  A  u*crjeiuitj(»<,  7)  A  nljccuzCT,  logln(a,  </)))! 

(nffT)  A  L(T  logln(a,  d))|  — ►  (nf(T  login(a.  d))  — -  “»3*  3 ft  7  =  ft  logout  (a,  d)J 
[nffT)  A  L<r  logln(a,  d))  A  7  =  ft.  logouts,  d))]  —  7 .  log!n(a,  d)  =  7 

create.user 

nf(T)  — *  IUT  creMtt,uMiin,  v,  /))  —  fRO(*,  T,  mo)  A  ujer_cxi»tt(y,  T)  A  logged_in(a,  7)  A  -'u*erxxirt*(v,  7)  A  ref_aecure<T,  create-userfa,  v,  /))]] 
(nf(T)  A  l/T  create.ujer(a,  v.  /)))  — *  [nf(T  createjjserfa.  v,  /)  —  “*3a/  3 ft  [7  =  ft  delete_uaer<a7 ,  v)  A  CU(v,  ft)  =  /)! 

(nffT)  A  l/T  creale.userfa,  v,  /))  a  7  =  ft  delete  jjaerfa,  v)  A  CU(v,  7)  *  /]  — «■  7  create.u*er(y,  v,  f)  =  ft 


set.CU 

nf(T)  —  [l/T. 9et_cu(a.  v,  /))  —•  (RO(y,  7,  mo)  A  u»er.exi*a<«,  7)  A  loggedJn(a.  T)  A  u*crjexi«u<v,  7)  A  -MoggtdJr/v,  T)  A  refjecure(T,  set_cu(a,  v,  0)11 

(nflD  A  ur«lju(.,  V.  0)1  —  [ngr  *1jcu(«.  v,  0)  —  (CL'(v.  7")  /  /  A  -.35  3u'  3v'  3/  T  =  S  JeLcu(a' ,  <J ,  /'» 

(nffT)  A  L(r  «Uu(M,  v,  /))  A  CU(v,  7)  =  /]  —  7 seLcufa,  v,  /)  =  7 

(nffT)  A  l/T  jetjcu(a,  v,  /))  A  T  s  5  jet_cu(y7,  v/,  I7)]  —  7 seLcu(y,  v,  /)  =  S.seLcu(a,  v,  /)! 


add_R 

nf(T)  — *  [l/T  add_R(y,  v,  r))  •—  [RCXa,  7.  no)  A  logge<Lin(a,  7)  A  uier.exists(v,  7)  A  re£jecure<T,  add_R(a,  v,  r))]j 
(nim  A  Ur  add_R(i<,  v,  r))l  —  (nffT  ad<LR(a,  v,  r»  _  [  -i  R(v,  T,  r)  A  ^3*'  35  T  =  S.m.R(.',  v,  r)|] 

Infm  A  Ur  add  Jl(a,  v,  /))  A  R(v,  T,r) |  —  7\add_R(«,  v,  r)  =  T 

InUr)  A  Ur  add  JKw,  v.  r))  A  T  -  5  muRfu' .  v,  r)|  —  TaddJKa.  v.  r))  =  5) 

rm_R 

nf(7)  — < •  (U7.rm.R(u,  v,  r)  —  Pogged-ir/a,  7)  A  ROfy,  7,  mo)  A  urerjcxi«t«(v,  7)  A  ->RO(v1  7,  r)  A  refjecun/T,  v,  r)J) 

(nf (7)  A  U7  rm  Jt(a,  v,  r)]  —  [nffT  rm_R(a,  v,  r))  —  (R(v,  7,  r)  a  3-'  3S  T  =  S  addin' ,  v,  r)\] 

(nffT)  A  1/7  rm_R(a,  v,  r)  A  -«R(v,  7,  r))  —  7.  rm_R(a,  v,  r)  =  7 
(nt(D  A  Ur  rm_R(«,  v,  r)  A  T  *  5  add_R(i/ .  v.  r)|  —  r  rm.R(*.  v,  r)  =  S 


add_RO 

nf(7)  —  (l/T  add_RO(y,  v.  r))  ~  f(RO(a,  7,  mo)  V  u  =  v)  A  loggedjnfa.  7)  A  R(v,  7,  r)  A  uacrjexi«ta(v,  7)  A  ref jecure(7,  add_RO(a,  v,  r))]| 

l nffT)  A  !/7  add _RCV„  v.  r))|  ^  |n«7  add  Jt<X«,  v,  r))  —  l“*RO(v,  7,  r)  A  -^Bn'  35  7  =  S  rnuRO(«' ,  v,  Oil 

(nffT)  A  1/7  add  JtO(y,  v,  r))  A  RO(v.  7,  r)\  —  7  add  J*0(«.  v.  /•)  =  7 

[nfT7,  A  1/7  add_RO(u,  v,  f))  A  7  =  S  rm_RO(i/ ,  v,  r)l  —  7  add_RO(u,  v,  r))  =  5J 


rm_RO 

nf(7)  — *  11/7  rnuRO(y,  v,  r)  — .  (loggedJn(a,  7)  A  (RO(y.  7,  »»)  v  w  =  v|  A  R(v,  7,  r)  A  uaerjexi»ts(v,  7)  A  refjecure(T,  rm.RCKa,  v,  r)]) 
InffT)  A  1/7  rm.RO(y,  v.  r)|  —  [nf{7  rmJtO(y,  v.  r))  ~  [RO(v,  7,  r)  A  -i 3a7  35  7  =  5  add.Rfa',  v,  r)\\ 

(nffT)  A  1/7  rm.RO<M,  v,  r)  A  ^RO(v,  7,  r)J  —  7  rm_RO(w.  v.  r)  =  7 
(nffT)  A  1/7  rmJtOfy,  v.  r)  A  7  =  S  adiROfa7,  v,  r)|  —  7  nruROfa,  v,  r)  =  S 


delete.user 

nffO  —  (1/7  de  let*  .u  serf  a,  v))  •-*  (loggedjnfa.  7)  A  RO(a,  7,  no)  A  uaer^xim(v,  7)  A  rcfjecure(7,  delete  .uaer(a,  v)))) 
(nffT)  A  1/7  deletejnerfa,  v))  —•  (nffT  delete jnerf a,  a)  —  (-*3a7  35  7  =  5  creale.uaer(a7,  v>] 

(nff7)  A  1/7  delete  jiaerfa,  v))  A  7  *  5  create.uaerfa7 ,  v)|  -  7  delete. u«er(y,  v)  =  S] 
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add_AS 

(nRT)  —  [UT.»dd_ASd,  v,  c,  i,  A))  «—  poggedjnd,  7)  A  ROd,  7,  i»o)  a  re£.exiits(i,  7)  A  [rde(v)  V  userxxistsd,  71)  A  rcf_aecuie(T,  addLASd,  v,  c,  i,  A))]) 
(nRT)  A  L(T  add-ASd,  v,  c,  i,  A))]  —  [nRT. ad<LASd,  v,  c,  i,  A»  —  v5  afterxvei>-.rel<3  3)(5,  adiAS,  rm_AS,  (4,  i),  2,  v,  3,  c,  5,  A;  (4,  0, 2,  v,  3,  c,  5.  A,  7) A 
->3;3i/  35(7  *  5  nn_AS(i/,  v,  ef>,  A>  A  ccreRi,  TJ,  5)]] 

[nRT)  A  U7.add.ASd,  w,  c,  i.  A))  A  7  «  5.rmjtSd* ,  v,  A)  A  coreRi,  T,),  5)]  —»  Tad<LASd,  v,  c,  i,  A)  =  5] 

[nRT)  A  U7.add_ASd,  v,  e,  i.  A))  A  -»V5  aftcrxveryjc^  ^jCi,  adcLAS,  rm_AS,  (4,  i),  2,  v,  3,  c,  5,  A; (4,  i),  2,  v,  3,  c,  5,  A,  DJ  —  T.add_ASd,  v,  c,  i,  A)  =  7] 


rm_AS 

[nR71  — •  PUT*.  rm_AS(a,  v,  c,  i,  A)>  *-*  (loggedJnd,  7)  A  ROd,  T,  *ao)  A  re£x»its(i,  7)  A  [role(v)  V  userxxistsd,  71)  A  reCsecure(T,  rm_ASd,  v,  c,  i,  A)))) 
[nRTl  A  U7.rm.ASd,  w,  c,  i,  A)))  — •  [nf(7  rm _ASd,  v,  c,  i,  A))  •-»  35  ion* -none j«f^3  3)(5,  add_AS,  rm_AS,  (4,  i),  2,  v,  3,  c,  5,  A;  (4,  j),  2,  v,  3,  c,  5,  A,  7)A 
-»3>3*#  35  IT*  5  add_AS(w',  v,  c,j,k)A  coreRi.  T,>,  5)]] 

(nRT)  A  L (7.  mi_ASd,  v,  c,  i,  A))  A  7  »  5  .add_ASd' ,  v,  A)  A  core  ft  i,  f,;,  5)]  —  rrmAS^,  v,  e,  i,  A)  =  5) 

[nRT)  A  L (T  rm_ASd,  v,  c,  i,  A))  A  35  ■ome.jH»e-n:f^3i3)(5l  *d<LAS,  nn_AS,  (4,  i),  2,  v,  3,  c,  5,  A;  (4,  j),  2,  v,  3,  c,  5,  A,  T)]  —  7.  rm_ASd,  v,  c,  i,  A)  =  71 


currentJR 

nf(71  — »  (L(T.current_Rd,  v,  r))  «—■  [loggedJnd.  7)  A  [ROd,  7,  sso)  V  u  =  v]  A  userxxistsd,  7)  A  reLsecure(7,  currenLRd,  v,  r))]] 

->nf(T  currenLRd,  v» 

(nR7)  A  U7.  currenLRd,  v,  r))J  — •  7.  currenLRd,  v,  r)  =  7 

[nRT)  A  U7.  currenLRd,  v,  r)))  —  [[V(T.currentJld,  v,  r))  »  True  —  R(v,  7,  r))  A  [V(7.currenLRd,  v,  r))  *  False  •-*  ~>R(v,  7 ,  r)]] 

currentJRO 

nf(71  —  [UT  current_ROd,  v,  r))  — *  [loggedJnd,  7)  A  (ROd,  7 ,  wo)  V  *  =  v]  A  userxxistsd,  7)  A  reLsecure<T,  currenLROd,  v,  r))]] 

->nf(7  currenl_RO(«,  v)) 

(nRT)  A  UT  currenLRO(k,  v,  r))J  —  7.current_RO(a,  v,  r)  =  7 

[n R7)  A  UT  current_RO(«,  v.  r»]  —  ((V(7  currenLRCXa,  v,  r))  *  True  —  RO(v,  7,  r )]  A  [VC7.current_RO(«,  v,  r))  *  False  —  --RO(v,  7,  r)J] 

currentXU 

nf(7)  —  [L^.currenLCUC*!,  v,  r ))  [lo8gedJn(«,  7)  A  [RO(u,  7,  sso)  V  a  »  v)  A  userxxist^v,  7)  A  ^  '  » ,  currentCU(a,  v,  r))]] 

^nf(7  currenCCU(y,  v» 

(nRT)  A  L(7  current,CU(a,  v,  r))J  —  7  currenLC^ii,  v,  r)  =  7 
(nRT)  A  UT  currenLCUCy,  v,  /))]  —  ^(T.currentXLXa,  v))  =  CUfv,  7)J 

set.CCR 

nf(71  —  [UT  sel-CCR(M,  r.  x ))  •—  (]o^edJn(w,  T)  A  u*erxxj«u(«,  T)  A  conUiner(r,  7^  A  refxxiitRr,  7)  A  AS(«,  seLCCR,  r,  2,  7)  A  re£_sccure(T(  set.CCR(a,  r,  z)))J 
(nRT)  A  U7.felXCR(ii,  r,  *))]  ^  [nRT  setXCR(«,  r,  x))  -*  (CCR(r,  7)  /  x  A  -«353v3>  7  *  5.setXCR(v,  r,  y)J 
(nRT)  A  UT  jelXCR(ii,  r.  x))  A  CCR(r,  7)  =  x)  —  7.set.CCR(«,  r,  x)  =  7 

[nf(7)  A  UT  setXCR(u.  r,  x))  A  7  =  5  *LCCR(v.  r,  y)J  —  7,setXCR(*,  r,  x)  =  5.setXCR(«,  r,  x)] 

downgrade 

— »  (UT.  downgrade^,  r,  0  [RO(“,  downgrtder,  7)  A  logged  jn(«,  7)  A  uaer.exists(w,  71  A  rcCxxiitsi  A  CE(r,  7)  >  /  A  Vf  V4  [H(/,  7,  r,  A)  CE(/,  7)  <  l]  A  callname<0  = 

downgrade  A  A5(«,  downgrade,  r,  2,  7)  A  re£jecure(7,  downgrade(a,  r,  01) 

(nffT)  A  UT  downgraded,  r,  0)  — *  nRT  downgraded,  r,  0) 

release 

nf(T)  —  [UT  released,  ')  —  (RO(u,  releaser,  7)  A  userx*isis(a,  7)  A  loggedJn(u,  7)  A  reCexists(r,  7)  A  T(r,  7)  »  DM  A  A Sd,  release,  r,  2,  7)  A  refxecure(7,  release<u,  r)J) 

(nRT)  A  UT  released,  r)]  —  nRT  released,  r» 

logout 

nf(7)  —  (U7  logouRa,  d))  —  [loggedLind,  d,  7)  A  3£H(<4,  7,  r,  A)  A  ref_*ecure<T,  logouRa,  </)))) 
fnRT)  A  UT  log outd,  <0)j  — *  (nRT  fagoutd,  *0)  —  ->35  7  *  5  logln<«,  d)] 
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[nf(T)  A  UTMogoutCu,  eft)  A  7  *  S  login(n,  d)]  —  7  logout u,  d)  ^  S) 


current_AS 

nf(T)  —  [L(T  currenHS(u,  v,  c,  r,  i»  —  [loggedin(n,  7)  A  ROfu,  T,  mo)  A  uaer.exiat*(v,  7>  A  reLexiatsfr,  7)  A  refjeairefT,  currenl_A5(w,  v,  e,  r,  i))JJ 
->nf(T  currenLAS(a,  v,  c.  r,  4)) 

[nftn  A  L(7  current_AS(B,  v,  c,  r,  4»]  —  7,currenCAS(ii,  v,  c,  r,t)ST 

JnftT)  A  1X7  currenLAS(u,  v,  c,  r,  4))]  —  |{V{7  currenLAS(n,  v,  c,  r,  4))  =  True  —  AS(v,  c,  r,  4,  T)]  A  rV(T.currenUAS(«,  v,  c,  r,  4 ))  ■  False  •—  ->AS(v,  e,  r ,  4,  T)J] 


current_CE 

nf(7)  —  (LXT  currentXE(u,  r))  ~  [logge<Un(a,  7)  A  RO(m.  7,  s»o)  A  U9er-exi>u(v,  7)  A  refLexieuCr,  7)  A  refjecure<T,  currenLCEf*,  r))JJ 
-'nf(7.currenLCE(«,  r)) 

[n tift  A  L<7  currenLCE(u,  r))|  —  7  currenLCEfu,  r)  =  7 
(nf^T)  A  L(T  currtnL,CE(u,  r))|  —  (V(T  currenLCE(y,  r))  =  CE(/%  7) 


current.CCR 

nf(7)  —  (LXT  currentXCR(«,  r))  —  [logged jn(«,  7)  A  RO(u,  7,  mo)  A  refjsxiits(r,  7)  A  reC«cure(T,  current-CCRCu,  r)))] 
-«nf(T  current-CCR(u,  r)) 

(nfl(T)  A  L(7  current_CCR(ii,  r)))  — *  7  currenLCCRO,  r)  =  7 

[nflD  A  U7  currenLCCR(u,  r))l  —  (V(7  currenLCCR(«,  r ))  *  CCR(r,  7) 


current.TY 

nf(T)  — *  [L(7.current_TY(M,  r))  —  (loggcdJn(u,  7)  A  RO(h,  7,  mo)  A  refjexixu(r,  7)  A  reLaecure(T,  currentTY(«,  r))|] 
-tn/(T  current_TY(u,  r)) 

(nf(T)  A  LXT  currenLTY(n,  r»]  —  7.current_TY(u,  r)  =  7 
(nfCO  A  U7  current_TY(«.  r))\  —  (V(7  currenLTY(«.  r))  =  T(r,  7)] 


set_CE 

nC(T)  —  iUT  Mt.CE(M.  d.  0)  —  [log»wLm(«,  7)  A  AS(ii,  Mt.CE,  d,  2,  7)  A  *vicc<d)  A  I  <  CTHi,  7)  A  rcCjec>in:(7t  MtXE(i<,  d,  0)1) 

(nf<7)  A  U7  Mt.CEfM,  d,  0)1  —  (rifiT  xtXEO,  d,  0)  —  (-.Sn1  3/  35  7  =  5  jet_CE(i/,  d, /)  A  VC  V*  [[p«cfix(R  C,  7)  A  cxllnunetC)  m  Ml.CE  A  coMttxxgfC,  2),  R,  d,  T»  — 

IxrgtC,  2)  jt  I  V  3C*  35  [cxllnxratC1 )  a  Mt.CE  A  corcRugfC' ,  2),  5,  d,  7)  A  pre6x(R  C,  S  C')  A  «j(C',  2)  *  01)1 

(nftT)  A  U7  Mt.CE(«,  d,  0)  A  7  =  S  itLCEh'.d,  /'ll  —  7  Mt_CE(«  d,  0  3  5  it>.CE(u,  d,  0 

(nttT)  A  U7  Mt.CEtx,  d,  0)  A  3C3R  |prefix(R  C,  7)  A  calliujmcCC)  =  Mt.CE  A  corcftirgCC,  2),  R,  d,  7)  A  trg(C,  2)  =:  /  A  -i3C^  35  [callnanietC7 )  ~  Mt.CE  A  ci*c(tu 2),  5,  d.  7)  A 

prefix'R  C,  5  O')  A  •ig(C/,  2)  ^  Oil  —  7  Mt.CE(«,  d,  0  =  7 

set.CD 

nf(7^  —  [1X7,  eet_CD(M,  d,  0)  [loggedJiXu,  7)  A  RfX«,  7,  iso)  A  CE<d,  T)  <  I  A  device(rf)  A  refjecure(7,  s«LCD(m,  rf,  0))] 

[nim  A  U7  Mt-Clx*,  d,  0)1  —  |n«7  Mt.CtXu,  d,  0)  —  (-.3«'  St1  35  7  =  S,«LC[I(*',  d,  f1)  A  VC  VRf(pM6x(R  C,  7)  A  c«lln»n>:(C3  «  MCCD  A  corcf(xrg(C,  2),  R,  d,  7)]  — 

[xrg(C,  2)  ^  I  V  3C1  35[cxHnxir«(C')  =  mUCD  a  cmxffiigfC'  2).  5,  d,  7)  A  prefix(R  C,  S  C')  A  ugCC*,  2) ,(  Oil) 

InftT)  A  L(7.Mt.CD<M,  d,  0)  A  7  ■  5  MCCWi/ ,  d,  )')|  —  7  mCCIXm.  d,  0  =  S  mCCDCm,  d,  0 

|nlT70  A  U7  mCCIXm,  d,  0)  A  3C  3R  [prefixtR.C,  7)  A  cxllnxmetC)  =  Mt_CD  A  corefCa/g (C,  2),  R,  d,  7)  A  vg(C,  2)  =  /  A  -'3C/  35  i cxi i r.xme( )  *  jet_CD  A  corc(t*rg(C/ ,  2),  5,  d.  7)  A 
prefixtR  C,  5  Cf )  A  xrgtc',  2)  X  011  —  7mLCD(m,  d,  0  =  7 


currenLCD 

uf(7)  -*  [U7  currenLCIXu.  d))  (logged  jr^u,  7)  A  RCK*.  7,  mo)  a  device<rf)]] 

->nf{7  currenLCIX**,  <0) 

[nRT)  A  IX7.current.CD(“,  <0)]  — *  7  currents IX*.  <f)  =  7 
(nltT)  A  1X7  currentXD<«i.  d)))  —  V(7  current.CD(«,  d))  =  CD(d,  7^| 


display 

nf(7)  —  [1X7  dlspUy(u,  r./,  d))  —  [loggedJn(ii,  7)ArefMCxi«j(^,  7)Adevice<d)A  CU(«,  7)  >  CE<r,  7)ACD(d,  7)  >  CE<r,  7)AAS(m,  display,  r,  2,  7)A[/  *  value  V/  *  direcutsfv/  « 
d 6 cation  V  /  =  type  V  /  =  ccr.vaiuef  A  [f  =  value  —  fp«rt_ofl[r,  </,  7)  A  3 J  7  =  5  dleplayfu.  r,  clawificaticc,  </)))  A  Vt[(/  ■  direct_ref  A  basedxnfr,  t,  7)  A  CCRfi,  7)  *»  True]  — * 
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CU(a,  7)  >  CE(s,  T)}]  A  ieC*ecuie(T,  display  (a,  r,/<  d))]) 

InflT)  A  UT.<lljpUy<«,  r,f,  d))]  —  [nf(T.  displays,  r,/,  d»  ~  VS  VC  [[pieExfS.C,  7)  A  corefcartfC,  2),  S,  r,  7)  A  callnamefC)  »  display  A  argfC,  3)  *  f  A  Vf(C14)  .  d]  — 
3*  3 D  (i«fix<S,  ft)  A  {(callnameCD)  «  display  A  erg <0,  4)  «  d  A  eoreffargtf),  2),  ft,  r,T)  A  arg(D,  3)  ^  /]  V  IcaUnameO))  «  dektajaf  A  coreKaxf(Z>,  2), tf,  r,  7)J  V  |arj(0,  4)  « 
d  A  callnime(0)  ■  identify]]]] 

[nfCO  A  UT. display^,  r,  f,  d))  A  3S  3C  {ptefixfS  C,  T)  A  coreffasgCC,  2),  S,  r,  7)  A  callnan*(C)  «  display  A  arg(C,  3)  »/  A  arg(C,  4)  -  d  A  ->.31?  3D  (pmfix(S,  1?)  A  [[callnan*<0)  = 
display  A  arg( 0,  4)  *  d  A  coref(irg(0,  2),  ,  r,  7}  A  ug(0,  3)  /  f]  v  {callname(D)  »  defete.rcr  A  carefftrtfD,  2),  r,  7})  V  [tigUD,  4)  -  4  A  caDnamc(D)  =  Identify]]]]  — 
7.  display  a,  r,/,  d)  S  T 

obj  .create 

of(7)  —  [L(7.  obj-create(w,  4,  I,  p))  —  [loggpdjn(n,  T)  A  iumg(p)  A  ->3S  [prefixes,  T)  A  reLexisttfi,  S)J  A  rcCsecurc(7*,  obJ.createG*,  4,  t,  p))]l 
inf(T)  A  L(T  otyjcrcatcOt,  k ,  1,  p))]  — *•  c?T  obi jirtate(u,  4,  1,  p)) 

cont.create 

nf(T)  —  [L(T. cont_cr eetefii,  k.  I ))  —  (loggedjnU,  T)  A  -.35  [pre&«(5,  D  A  rettxiiu <i,  T))  A  reUecurefT,  eonljCrenteU,  t,  0)1) 

(nftT)  A  LCT  cont_create(a,  4,  /))]  — *  nflTconLcreatefa,  k,  /)) 

insert 

nf(T)  —  [U7  lnsert(a,  x,  y,  4))  —  [U  7)  A  [logjpdJn<a,  y,  7)  —  CU<«,  7)  >  CEfy,  7)1  A  rcf.existo(x,  T)  A  *>Uxiito(y,  7)  A  CE(x,  7)  <  CE(y,  7)  A  --panjaffy,  *,  7)  A  4  > 

0  A  cont»jner(>)  A  AS(a,  Insert,  x,  2,  7}  A  AS(«,  Insert,  y,  3,  7)  A  refjecure(T,  Inserts,  x,  y,  4))  A  [4  *  1  V  3/  HCi,  7,  y,  *  —  1)1]] 

(nffT)  A  L<7  lnsert(u,  x,  y,  4))]  —  nfl;T  lnsert(«,  x,  y,  4)) 

remove 

nf(T)  -  (L(T  removed,  x,  y,  4))  ~  [loggpd_in(a,  7)  A  refxxistafx,  7)  A  4  >  0  A  AS(«,  remove,  x,  2,  7)  A  AS(«,  remove,  y,  3,  7) A  corefly,  7,  x  :  4,  7)  A  refjccureCT,  remove^,  x,  y,  4))]) 
inRT)  A  UT  removes ,  x,  y,  4))]  —  nRT  remove(u,  x,  y,  4» 

deletej>ef 

nf(T)  —  [L(T  delete j-ef(M,  r))  — »  (loggedjnfw,  7)  A  reCexiitsfr,  7)  A  A S(a,  delete _ref,  r,  2,  7)  A  iefjecuie(T,  delete_ref(«,  r))]] 

(nf(7^  A  U7  delete .refO,  r))]  — *  nTfT.delete.reftii,  r)) 

identify 

nf(D  —  (L(T  Identity*,  N,  f,  J))  —  [loggcdjtfu,  7)  A  dcvicc<i)  A  uxr{S)  A  If  =  tuerjd  V/  »  de«r«nco  V/  *  iaxu_et  V/  =  rolejct  V/  «  roiti]  A  retjecare(T,  ld,ntiry<»  N,f,  <fl)]] 

Infm  A  UT, ld«nt»y(ii,  A/,/,  <0)1  —  [nflT  IdentiryU,  A,  /,  </))  —  VS  VC  [(pn:&x(S.C,  T)  A  c«lta»Dic<C)  ■=  Identify  A  «rg(C,2)  .  N  A  ug(C,  3)  .  /  A  Kg(C.4)  =  — 

3»  30  (pre6,«,  *)  a  trgW,  4|  *  d  A  ((cJInemefO)  *  Identify  A  erg(0,  2)  >  N  A  «rg(D,  3)  ^/)  V  cellnemetD)  »  dleplny]) 

[nfTT)  A  UT  Identlfyfw,  At,/,  d))  A  35  3C[pefie(5-C,  73  A  cellnemefO  *  Identify  A  ergfC,  2)  -  N  A  «jg(C,  3)  ^  /  A  eig(C,  4)  «  i  A  -.3*  30||neb(5  C  ft)  A  irg(0  4)  = 
4  A  [[erg(0,  2)  =  N  A  ceJInemtfO)  .  Identify  A  ergfO,  3)  -  /I  V  cellneme(0)  -  dljpUyl]]  —  T  ldenUfy(»,  N,  f,  d)  =  T 

Definitions  of  predicates 
Prefixes 

prefix(e,  7) 

[prefix(S,  T)  A  T  =  S  C  /?)  — ►  prefix(S.  C,  7) 
prefixes,  7^  —*  (5  =  t  V  3^  3C]S  =  /?  C  A  prefix(/?,  7)]] 

References 

djrectJefT*)  A  Vr  34[directj«f(r)  — *  r  *  4) 
direct_refTr)  —  reference(r) 
reference(r)  —  refcrencefr  :  4) 

reference(r)  — .  (direct_ref(r)  V  3s  34  [references)  Ar»»:l|| 

Coreference 

coreffr,  7,  r,  7) 

corefl[r,  7,  s,  /?)  —  coieffs,  r,  T) 


corefl>,  7,  s,  R)  — *  [coref(s,  R,  t,  5)  — ►  coteffr,  7,  t,  5)) 


callnaroc(C)  *  Insert  — •  {coref(arg(C,  2),  7*,  arg(C,  3)  :  arg(C,  4),  T.C  A  (0  <  i  <  argfC,  4)  — *  corcffarg(C,  3)  :  k,  7,  arg (C,  3)  :  i,  7.C3]  A  ((i  >  arg (C,  4)  A  rcf«exiitj(arg(C,  3)  : 
i,  7)]  —  coref(arg (C.  3)  :  i,  7,  arg(C,  3)  :  {*  ♦  1),  7Q1 

[[  cal  1  name  (C)  -  delete_ref  A  coreffargtC,  2),  S,  t  :  i,  7)1  V  [callname<C)  »  remove  A  coief(arg(C,  3),  5,  arg  (C,  2)  :  trg(C,  4),  T)  A  km  arg (C,  4)  A  x  «  arg(C,  3)]  — ►  (0  <  n  <  i  — • 
coreftx  :  h,T,  3  :  n,  T.C)\  A  U*  >  k  A  refjsxist*(*  :  «,  7)1  —  «xef(s  :  »,  T,  s  :  (»  —  \),  T.QU 

[callnamc<0  jrf  delete_ref  A  callname(C)  lnsert|  — *  [corefCr,  7,  l,  S)  — ►  coref(r,  7,  t,  5.  Q] 

corefCr,  7  x  :  t,  7)  — ►  3 C  35  (prefix(5.C,  7)  A  callname(C)  =  Insert  A  corcf(arg(C,  2),  5,  r,  7)  A  coreRargCC,  3),  5,  s,  T)) 


part.of 

coreRr,  7,  3,  T)  — -  part_offr,  s,  7) 

{part.of(r,  s,  7)  A  re£.exisw(r  :  i,  7))  —  part_of(r  :  k,  s,  7) 

Entities 

Vr  Vx  VTV*  (coreffr,  7,  x,  R)  —  £(r,  7)  =  £(x,  £)J 
Vr  V7  [reLexists(r,  7)  — *  3y  y  =  E\r,  7) 
cntiry.exist3(x,  7)  — »  3r  x  «  £(r,  7) 
enuty(x)  •-*  37entoty.exists(x,  7) 

[entity(x)  A  entity<y)  -*  (x  s  y  «-*  35373/j  3r2  [£(rj,  5)  »  x  A  7)  «  y  A  coref(ri ,  5,  rj,  7)]] 
Vx  VT  (entity .existsfx,  T)  — ►  3z(*  =  value(x,  7)  A  string(z)]l 


Basing  References  on  Entities 

Vr  Vi  Ve  [ref.exists(r  :  k,  7)  A  £(r,  7)  =  «)  — *  based_cn(r  :  k,  «,  7) 

Vr  Vi  V*  [ref_exists<r  :  i,  7)  A  bajed-onfr,  a,  7)]  — •  bascd_on(r  :  k,  t,T) 


Potential  Modification 


e_equiv(5,  7,  x)  —  3fj  Brj  (entity(x)  A£(rj ,  5)  =  x  AEfrj,  7)  »  xAVuVcVi  [AS(a,  c,  ,  k,  5)  -*  AS(a,  c,  rj,  k,  7)]A(CCR<rj ,  5)  =  True  «—  CCRC^,  7)1  A  (TY(x,  5)  =  TY(x,  T)]  A 
value(x,  5)  s=  value(x,  7)  A  Vjj  Vjj  (corefl[ij  ,  5,  xj.  7)  —  (part^^X! ,  rj ,  5)  —  partjaftxj'  r2-  ^)1)  A  CE(»'i .  $)  =  CE^rj,  7)  A  [(device^)  A  device(r2))  —  CD(ri ,  5)  *>=  CEKrj,  7)]] 

ojcquiv(S,  T.  y)  —  15  =  T  A  Vxlx  f  y  — •  value(x,  5)  =  value(x,  7)1 

pjnodify(C,  r,  7,  y)  •—  35[L(7.C)  A  rcfjexistsfr,  7)  A  entity xxists(y,  7)  A  5  =  7  A  -•c.equiv(5,  5.C,  £(r,  5))  A  ly  “  £(r.  7)  V  35j  352  [5  =  A  oxquiv(51 , 52,  y)  A 
~'C.equiv(52,  52  C,  £(r,  S2 ))111 


Security  properties 

state_securc(7)  ~  [VrVsVk  [H(r,  7,  s,  k)  —  CE(x,  7)  <  CE(r,  7)]  A  VoVuViVr  ([H(o,  7,  r,  i)  A  loggcdjn(u,  o,  7)]  —  CTJfii,  7)  >  CE(r,  7)J  A  Vo  Vx(D(o,  x,  value,  7)  — 

D (o.  x.  classification.  7)|  A  [RO<«.  7,  r)  —  R(«.  7.  r)]  A  Vo[CD(o.  7)  >  CE<o.  7)11 

acc_secure(7,  C)  — »  Vi  (rcference(arg(C,  i))  —  [ASfargfC,  1),  callname(C)l  arg (C,  i),  k,  T)  V  3r{RO(irg(C,  1).  7,  r)  A  AS(r,  callnaJne(C),  arg (C,  i),  i,  7)111 
copyjecure(7,  O  — »  VrVy  [pjnodify(C,  r ,  7.  y)  — »  3x[y  =  £(x,  7)  A  CE(x,  7)  <  CE(r,  7)1 

CCR_secujef7,  C)  «—  V«  Vr  Vz  Vy  [f34  r  =  arg(C,  i)  A  basedjon(r,  y,  7)  A  3s [y  =  £(r,  7)  A  CGR(r,  7)  A  pjnodifyfC',  r,  7,  £(r,  7))J  — *  CU(x,  7)  >  CEfr.  7)J 

transjecure(T,  Q  —  Vo  Vx  Vz  Va  [(loggedJ^u,  o,  7.  C)  A  directjef(x)  A  D(o,  x,  directjef,  7-01  **•  Vs  [3r3i|arg(C.  i)  *  r  A  £(r,  7)  =  £(x,  7)  A  baaecLonfr,  1,  7)  A  £(z,  7)  * 

/  A  CCRfr,  7)1  —  CU(«,  7)  >  CE(r,  7))]] 

ref.«cure(7,  C)  —  Vu  Vr  Vi  [reference(arg(C,  i))  — *  (CU(arg(C.  1),  7)  >  CE(irg(C,  £),  73  A  [3r  [based.on(arg(C,  i),  £(r,  7))  A  CCR(x,  7))  —  CU(arg(C,  1),  7)  >  CE(r,  7)J11 

set_seoire(r,  Q  —  [Vo  Vx  [[03(0,  7)  *  CD(o,  TQv  CU(x,  7)  *  CU(x,  7.0  V  31  -«lR(x,  T,  l)  =  R(x,  7.C,  7)11  —  RO(arg(C,  1),  7,  aao)]  A  [V*  [3/  -«(RO(m,  7,  /)  =  RO(a,  T.C,  7)1  — 

[u  =  argCC.  1)  V  RCKa,  7.  «o))]| 

downgrade.jecuie(7,  C)  —  j[-<device(x)  A  CE(x,  7)  >  CE(x,  7.C31  — *  (callname(C3  s=  downgrade  A  RCHargfC,  1),  7,  downgrader)]) 

release jecure(7,  O  -  ([T(r,  7)  =  RM  —  [T(r,  7  Q  =  RM  A  Va(RE(r,  7,  a)  —  RE(r.  T.C,  a)]]  A  l(T(r,  7)  ft  RM  A  T(r,  T.C)  =  RM)  —  [RE (r,  T.C,  arg(C,  1))  A  callnan*(C)  = 

release  A  *rg<C,  2)  =  r  A  RO(arg(C,  1),  7.  releaser)  A  Tfr,  7)  =  DMJJJ 

MMS  jecure(7,  C)  —  [acc*secure(7.  C)  A  copyjecure(7,  O  A  CCRjecure(7,  C)  A  transjecure(7,  O  A  set  je cure (7,  C)  A  downgrade. secure(7,  C)  A  release jecure(7,  C3  A  state jecure(T)] 


Other  predicates 


»«ncj»ne(j1>2)W.  c,,c2 .  ,  i, .  "i .  .  "t2  Jl;.1) 


prefixi/7  C2 


7)  A  callname(C2)  “  ^  A  {arg(C2,  «,)  *  y, } 


3Cj  (pre6x(5.Cj ,  7)  A  callname(Cj) 


*1 

C1  A  .  m.> 

i=l 


Xj}  A  — « 3/?  3C2  [prefix(5.  Cj ,  R)  A 


after . every  ^  ^(S,  cl,c2,m\.*i.  ,  ^  •  %  '•  *1  •  >1  •  •"*2’,*2’T)  ~  ^•ome -"’“(ij  c\ ■  ‘2'  m\ •  *!•  ■•••"■ftj  -  x*j  *•  "1  *  >1  •  •■•»  "ftj-^V  *> 


>n_afier^(5.  c, 


.  i"A.  x4,  7) 


3C3R[S  «  /?  C  A  prefix(S,  7)  A  callname(C) 


ft 

c  A  f\^{arg{C,  0  **,}) 
1-2 


uaer.e]usts(a,  D  «-*  [u  -  Root  V  3S  icraejwne^  ^  j j(S,  cre*te.u**r,  delete. user,  2,  u;2,  a,  7)] 
loggccLir/a,  7)  «—■  3d  logged-ii/a.  d,  T) 

logge<Lun(u,  d,  T)  3 R  [user  .exists  a.  7)  A  ****-“”*(2,2)^'  *°8*n-  logout,  1,  **,  2,  d\  1,  u,  ,  2,  d,  7)] 

*amc-naoc-ref(ft1.*2)(5>  0*.  *.  )«ii  «2'ml'  *1*  -■■•  '"ftj  •  xftj  :I*  1«>1*  0.  "*2'  >*2  '  ^  ~  3,1  3Cj  [piefix(S  Cj .  7)  A  arg(Cj ,  m)  *  /j  A  careftij ,  S,  r.T)  A  cannam^Cp)  * 

*1  *2 

CJ  A  j ^  { »rg(Cj ,  m,)  =  X,  }  A  -»3i2  3/?  SCjlprcfixCS.  Ci ,  /?)  A  prcfix(/f  C2,  7)  A  «rg(C2,  n)  -  A  coreftjj*  *>  r-  ^  ^  callname<C2 )  =  C2  A  {«rg(C2-  *,)  =  >,■}]) 
i=  1  i=l 

after. e very jef(Al  *^(5.  (m.  r),  cj .  c2.  "»i ,  *1 ,  •  ,  ,  x^  ;(*,  r),  nj.yj,  ,  a^,  y*2  .  7)  —  ^aomejumejef^ (m,  r),  Cj ,  ^2-  ml  -  *1  ■  >  '"ftj  ■  *ftj  ■  <"■  r>-  "1  •  71  •  •  "*2-  >*2  ’  ^ 

ft 

mjfterjef^fS,  c,  (m,  r),  ,  Xj  ,  .  -  • ,  m fL,  xg.T)  —•  3s3C3R  [S  =  R.C  A  prefix(S,  7)  A  c*llninie(C)  =  e  A  coref(j.  R,  r,T)  A  ergtC,  m)  —  g  A  ^ \ ^  {<*rg(C,  i)  ■  *,•}] 

I*! 

contxi ner(r)  —  3*  3S  3C|coref(ft,  S,  r,  7)  A  arg(C,  2)  -  ft  A  prefix(S.C,  T)  A  callname<C)  *  conLcreate  A  refjexist^r,  7)  A  VKVCq  [[callname(Co)  =  contxreate  v  callname(Co)  = 

06 j. create |  A  arg(Co,  *)  *  *  A  prefix(/f  Cq.  7)]  — *  pntxiR  Cq,  S.C))J 

reLexiita(r,  T)  *—  3S3C  [aornejnaoejef^o ,0)^>  c •  de)ete.ref,  (2,  r);(2,  r),  7)  A  |c  =  obj  .create  V  c  =  conLcreate]] 

RO(v,  T,  r )  •—  ([v  *  Root  A  r  =  »o|  V  3S  [some  jicoe^  2)^i  Xid-KO,  rm.RO,  2,  v,  3,  r.  2,  v,  3,  r,  7)  A  -*in_aAeri  (J,  delete  .user,  2,  v,  7)[] 

R(v,  T,  r)  «-•  ((v  s  Root  A  r  -  »o)  V  3S  [somejwne^  2)^'  tm-R.  2,  v,  3,  r. 2,  v,  3,  r,  7^  A  -»iiuiftBrj(S,  deletejiaer,  2,  v,  7)]J 

CU(v.  T)  =  I  ~  [3S(sorajicne(2  createjiser,  seLcu,  2,  v,  3, 1,2,  v,  T)  A  -uruafterjCS,  delete.uaer,  2,  v,  7))  V  [3S[aotnejtcne(S,  Mtjtu,  Mtjcu,  2,  v,  3, 1,2,  v,  T)A 
-'iaxfteri(S1  delete.user,  2,  v,  7^)j 

A S(v,  c,  r,k,T)  —  [RO(v,  r,  aao)  V  3S|aoinejictieje^3  3)(S,  adtLAS,  nruAS,  (4,  r).  2,  v,  3,  e,  5,  ft;(4,  r),  2,  v,  3,  c,  5,  ft,  T)  A  -.in-after^S,  deleUjiier,  2,  v,  7)][ 

CE (r,  T)  -  J  —  3S  3C  3r  nc*ilnamc(C)  »  seLCEV  callname^C)  *  cootxreate  V  callname<C)  -  obj.create  V  callnanWQ  -  downgrade)  A  ar*(C,  2)  =  rA  arg(C,  3)  =  /  A  corefti,  S,  r,  7)  A 
->  3^  in^fter  {S.C  R,  c ,  (2,  r),  3,  r,  7)  A  [e  -  delete_refV  c  =  downgrade  Vn  aeLCE) 

CCX(r,  7)  =  True  «  3 C0  3K0  VCVR[[callname(C)  -  aet.CCR  A  prefix(R  C,  7)  A  coref(arg(C,  2),  R,  r,  T))  —  prefix^. C,  R0  Cq))  A  arg (C,  3)  -  True) 

C CR(r,  T)  =  False  —  CCR(r,  7)  ^  True 

T(r,  S)  »  x  *—  [x  *  RM  A  3/?  3C[VTVD  ((ptefix(7,  S)  A  callname<£>)  =  delete  j-ef  A  coreflargtf),  2),  7,  r,  S))  —  prefix(7.D,  R-Ol  A  p«fix(/?.C,  S)  A  callname<C)  *  release  A 
coreftarg(C,  2),  R,  r,  S))]  V  [x  *  DM  A  ->3R  3C  (V7VD  [[prefix(7,  S)  A  callnamefD^  »  deletej-ef  A  coref(arg(D,  2),  T,  r,  S))  pefix(T  D,  R  Q)  A  prefix(/?.C,  S)  A  callname(0  * 
release  A  coreflarg(C,  2),  /?,  r,  S)]] 

CD (d,  7)  =  x  —  [3S3C[callname(0  =  set.CD  A  x  =  arg(C,  3)  A  V£>  V/?  [piefix(/?.D,  S.C)  —  (prefix(/?.D,  7)  A  callnamc(D)  =  set.CD  A  coreftarg(D,  2),  R,  d,  7)]))  V  (x  = 
unclassified  A  -1 3S  3C  [callname(C)  =  set.CD  A  prefix(S  C,  T)  A  coref(arg(C,  2),  S,  d,  7)]] 

RE(r,  7.  a)  —  3S  3C  |L(7)  A  pee  fix  (S  C,  7)  A  callname(0  =  release  A  arg(C,  1)  =  m] 

H(r,  7,  s,  ft)  —  corcftr  :  ft,  7,  s,  7) 

D(o,  x,  y,  W)  —  [device(o)A[3a3r3/37  3C/[y  =/Anftt/)AlF  =  t/Acoreflr,  t/,  x,  H0Aprefix(7.dlsplay(M,  r,/,  o),  f/)Ason*_i»one.je^i  ^(7,  display,  remove,  (2,  r),  4,  o;(2,  r),  3,  o,  t/)]V 
3a  3N  3f3T3U[x  =  S  A  >  =/  A  nf(t0  A  VF  =  t/  A  pecfix(7  ldenUfy(a,  *,/,  o),  t/)  A  somsjione^!  ^(7,  Identify,  Identity,  4,  ©;4,  o,  f>)]) 


Additional  Axioms  for  Normal  Form  and  Legality 

nf(e) 

VC(I,(7  Q  ^  1/7)) 
nf(7)  -  U7) 


VC(nfl7  Q  —  nf(7)) 


